[Snyk] Fix for 1 vulnerabilities

[sestinj]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• core/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-AXIOS-16417750	848

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

---

Summary by cubic

Upgrades axios to ^1.15.2 to fix a critical Prototype Pollution vulnerability. Also bumps vectordb to 0.21.2; only core/package.json changed.

• Dependencies
  • axios: ^1.6.7 → ^1.15.2 (fixes SNYK-JS-AXIOS-16417750)
  • vectordb: 0.4.20 → 0.21.2

^{Written for commit d50d24e. Summary will update on new commits.}

[continue]

Docs Review

No documentation updates needed for this PR.

This is an automated Snyk security fix that bumps internal dependency versions (axios and vectordb) in core/package.json. These changes fix a critical Prototype Pollution vulnerability but don't affect any user-facing APIs, configuration options, or documented workflows.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="core/package.json">

<violation number="1" location="core/package.json:79">
P1: Regenerate and commit core/package-lock.json for this dependency bump. Without the lockfile update, locked installs can still resolve the old axios/vectordb versions, so the security fix won't take effect.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P1: Regenerate and commit core/package-lock.json for this dependency bump. Without the lockfile update, locked installs can still resolve the old axios/vectordb versions, so the security fix won't take effect.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/package.json, line 79:

<comment>Regenerate and commit core/package-lock.json for this dependency bump. Without the lockfile update, locked installs can still resolve the old axios/vectordb versions, so the security fix won't take effect.</comment>

<file context>
@@ -76,7 +76,7 @@
     "adf-to-md": "^1.1.0",
     "async-mutex": "^0.5.0",
-    "axios": "^1.6.7",
+    "axios": "^1.15.2",
     "cheerio": "^1.0.0-rc.12",
     "commander": "^12.0.0",
</file context>