Pin axios in framework-dist runtime package

[eahefnawy]

Hotfix for the runtime release tarball installed by the binary updater.

Root cause:

• packages/framework-dist/package.json ships without a lockfile.
• The binary installer extracts the release archive and runs npm install --no-audit --no-fund --no-progress in package/.
• @aws-sdk/signature-v4-crt pulls in aws-crt, which depends on axios via ^1.12.2.
• Fresh installs therefore resolve whatever matching axios version is current, which allowed compromised axios@1.14.1 to be selected during the incident window.

Fix:

• Add overrides.axios = 1.13.6 to packages/framework-dist/package.json so the extracted runtime package installs a known safe axios version regardless of the transitive semver range.

Validation:

• Reproduced the runtime package resolution in a clean temp directory.
• Without the override, a fresh npm install --package-lock-only resolved axios from the transitive semver range.
• With the override, the same install resolved axios@1.13.6.
• Packed packages/framework-dist and confirmed the generated tarball contains the override in package/package.json.

Closes: #13453

Summary by CodeRabbit

• Chores
  • Updated internal dependency versions to improve framework stability and reliability.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added an overrides field to packages/framework-dist/package.json pinning the transitive dependency axios to version 1.13.6, hardening the distributed package against supply chain vulnerabilities without modifying other dependencies or package metadata.

Changes

Cohort / File(s)	Summary
Dependency Pinning packages/framework-dist/package.json	Added overrides.axios = "1.13.6" to pin the transitive axios dependency to a specific version for supply chain security.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• fix(sf-core-installer): remove axios and harden dependencies against supply chain attacks #13450 — Addresses axios supply chain concerns by pinning the version in the distributed package alongside the sf-core-installer removal of axios usage.

Possibly related PRs

• fix(sf-core-installer): remove axios and harden dependencies against supply chain attacks #13450 — Complements the removal of axios from sf-core-installer by pinning its version in the framework-dist package to ensure downstream consumers use a vetted release.

Poem

🐰 A version locked, so firm and tight,
No surprise upgrades in the night!
Axios pinned at one-three-six,
Our supply chain secured, no mix,
Security's the name of the fix! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	This PR partially addresses issue #13450 by pinning axios in framework-dist, but does not implement the primary requirement of replacing axios with fetch+undici or removing axios from sf-core-installer dependencies.	This PR only pins a transitive axios dependency in framework-dist as a hotfix. The main requirements from #13450 (replacing axios with fetch, removing unused xml2js, pinning versions in sf-core-installer itself) are not addressed and should be completed in the primary issue PR.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: pinning axios in the framework-dist runtime package to address supply-chain vulnerability concerns.
Out of Scope Changes check	✅ Passed	The change is narrowly scoped to adding an overrides field in framework-dist package.json, which is directly related to mitigating axios supply-chain exposure and is within scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/axios-supply-chain-vulnerability-93af

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Mmarzex]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.