React SPA security dependency alerts

Rule body

# React SPA security dependency alerts

Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files.

Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades.

### CVE-2021-3749 — axios Inefficient Regular Expression Complexity vulnerability

Context: Malicious response headers with many colons can cause excessive backtracking in header parsing regex.
Source: https://github.com/advisories/GHSA-cph5-m8f7-6c5x

WHEN you detect `axios` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2021-3749: axios may be vulnerable. Malicious response headers with many colons can cause excessive backtracking in header parsing regex. Patched versions: axios >=0.21.2

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls axios`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2021-23337 — Command Injection in lodash

Context: Template functions can execute arbitrary code when processing untrusted input strings.
Source: https://github.com/advisories/GHSA-35jh-r3h4-6jhm

WHEN you detect `lodash` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2021-23337: lodash may be vulnerable. Template functions can execute arbitrary code when processing untrusted input strings. Patched versions: lodash >=4.17.21

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls lodash`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2025-27152 — axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Context: Absolute URLs in axios requests bypass baseURL and route requests to attacker-controlled origins, leaking credentials.
Source: https://github.com/advisories/GHSA-jr5f-v2jv-69x6

WHEN you detect `axios` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-27152: axios may be vulnerable. Absolute URLs in axios requests bypass baseURL and route requests to attacker-controlled origins, leaking credentials. Patched versions: axios >=0.30.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls axios`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-25639 — Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Context: Malicious config objects with __proto__ properties can crash mergeConfig and cause denial of service.
Source: https://github.com/advisories/GHSA-43fc-jf86-j433

WHEN you detect `axios` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-25639: axios may be vulnerable. Malicious config objects with __proto__ properties can crash mergeConfig and cause denial of service. Patched versions: axios >=0.30.3

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls axios`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-4800 — lodash vulnerable to Code Injection via `_.template` imports key names

Context: Template imports with untrusted key names can execute arbitrary code via Function constructor injection during compilation.
Source: https://github.com/advisories/GHSA-r5fr-rjxr-66jc

WHEN you detect `lodash` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-4800: lodash may be vulnerable. Template imports with untrusted key names can execute arbitrary code via Function constructor injection during compilation. Patched versions: lodash >=4.18.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls lodash`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-42043 — Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Context: Proxy bypass via RFC 1122 loopback subnets can route sensitive requests through untrusted intermediaries despite NO_PROXY rules.
Source: https://github.com/advisories/GHSA-pmwg-cvhr-8vh7

WHEN you detect `axios` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-42043: axios may be vulnerable. Proxy bypass via RFC 1122 loopback subnets can route sensitive requests through untrusted intermediaries despite NO_PROXY rules. Patched versions: axios >=0.31.1

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls axios`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-42033 — Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Context: Prototype pollution from co-dependencies can enable silent response tampering and request hijacking if axios properties lack hasOwnProperty guards.
Source: https://github.com/advisories/GHSA-pf86-5x62-jrwf

WHEN you detect `axios` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-42033: axios may be vulnerable. Prototype pollution from co-dependencies can enable silent response tampering and request hijacking if axios properties lack hasOwnProperty guards. Patched versions: axios >=0.31.1

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls axios`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-42035 — Axios: Header Injection via Prototype Pollution

Context: Prototype pollution can trick Axios into calling attacker-controlled getHeaders methods that inject arbitrary HTTP headers into outgoing requests.
Source: https://github.com/advisories/GHSA-6chq-wfr3-2hj9

WHEN you detect `axios` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-42035: axios may be vulnerable. Prototype pollution can trick Axios into calling attacker-controlled getHeaders methods that inject arbitrary HTTP headers into outgoing requests. Patched versions: axios >=0.31.1

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls axios`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---