OCPBUGS-76579: [release-4.19]CVE-2026-25639 openshift4/ose-monitoring-plugin-rhel9: Axios affected by Denial of Service via __proto__ Key in mergeConfig

[tonyxrmdavidson]

This PR updates axios from version 1.13.2 to 1.13.5 to remediate GHSA-43fc-jf86-j433. The change is a patch-level update within the same minor release line and introduces only patch-level transitive updates to form-data and follow-redirects. An explicit override has been added to ensure deterministic resolution of the corrected axios version. No other dependency changes were introduced.

During validation, a unit test failure was observed locally in processAlerts.spec.ts (“should mark alert as firing if ended less than 10 minutes ago”). To confirm whether this was related to the CVE bump, the test was reproduced on a clean checkout of the upstream release-4.19 branch using npm ci under both Node 22 and Node 18. The failure occurred identically on the unmodified baseline branch, confirming that it predates and is unrelated to this change.

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-76579 to depend on a bug targeting a version in 4.20.0, 4.20.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

…-plugin-rhel9: Axios affected by Denial of Service via proto Key in mergeConfig

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 49479657-3284-4e45-95b2-02d4386749c6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• expected dependent Jira Issue OCPBUGS-25639 to target a version in 4.20.0, 4.20.z, but it targets "4.16.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• expected dependent Jira Issue OCPBUGS-76581 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead
• expected dependent Jira Issue OCPBUGS-25639 to target a version in 4.20.0, 4.20.z, but it targets "4.16.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• expected dependent Jira Issue OCPBUGS-76581 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead
• expected dependent Jira Issue OCPBUGS-25639 to target a version in 4.20.0, 4.20.z, but it targets "4.16.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[etmurasaki]

/test e2e-monitoring

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• expected dependent Jira Issue OCPBUGS-76581 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead
• expected dependent Jira Issue OCPBUGS-25639 to target a version in 4.20.0, 4.20.z, but it targets "4.16.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• expected dependent Jira Issue OCPBUGS-76581 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• expected dependent Jira Issue OCPBUGS-76581 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tonyxrmdavidson]

ci/prow/e2e-monitoring

The failing Prow jobs are unrelated to my PRs because the errors stem from the Cluster Monitoring Operator not reaching minimum availability (MinimumReplicasUnavailable), which is a Kubernetes deployment readiness issue rather than a frontend or dependency regression. The Cypress UI tests execute successfully, with no axios errors, network failures, or JavaScript runtime exceptions observed in the logs. Since my changes were limited to a dependency bump and did not modify operator manifests, deployment logic, or cluster configuration, there is no technical link between the PR changes and the observed test failures.

[jgbernalp]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jgbernalp, tonyxrmdavidson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jgbernalp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jgbernalp]

/test e2e-monitoring

[etmurasaki]

previous e2e-monitoring failure was caused by automation speed was faster than components loaded and enabled on screen, even though cypress already handles it automatically.
I've run the same automation testing, without any change against a 4.19 cluster and it passed

This was the report from the previous execution in this PR and there was only one failure that passed locally.

anyway, I will try to stabilize this testing in a future PR.

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• expected dependent Jira Issue OCPBUGS-76581 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[etmurasaki]

/label qe-approved

[etmurasaki]

/override ci/prow/e2e-monitoring

[etmurasaki]

/override e2e-monitoring

[openshift-ci]

@etmurasaki: Overrode contexts on behalf of etmurasaki: ci/prow/e2e-monitoring

Details

In response to this:

/override ci/prow/e2e-monitoring

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@etmurasaki: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-monitoring

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/e2e-aws-ovn
• ci/prow/e2e-monitoring
• ci/prow/images
• ci/prow/lint
• ci/prow/verify-deps
• pull-ci-openshift-monitoring-plugin-main-e2e-aws-ovn
• pull-ci-openshift-monitoring-plugin-main-e2e-monitoring
• pull-ci-openshift-monitoring-plugin-main-images
• pull-ci-openshift-monitoring-plugin-main-lint
• pull-ci-openshift-monitoring-plugin-main-verify-deps
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override e2e-monitoring

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• expected dependent Jira Issue OCPBUGS-76581 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:

• expected dependent Jira Issue OCPBUGS-76581 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tonyxrmdavidson]

/jira refresh

[openshift-ci-robot]

@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-76581 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-76581 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@tonyxrmdavidson: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@tonyxrmdavidson: Jira Issue OCPBUGS-76579: All pull requests linked via external trackers have merged:

• openshift/monitoring-plugin#789

Jira Issue OCPBUGS-76579 has been moved to the MODIFIED state.

Details

In response to this:

This PR updates axios from version 1.13.2 to 1.13.5 to remediate GHSA-43fc-jf86-j433. The change is a patch-level update within the same minor release line and introduces only patch-level transitive updates to form-data and follow-redirects. An explicit override has been added to ensure deterministic resolution of the corrected axios version. No other dependency changes were introduced.

During validation, a unit test failure was observed locally in processAlerts.spec.ts (“should mark alert as firing if ended less than 10 minutes ago”). To confirm whether this was related to the CVE bump, the test was reproduced on a clean checkout of the upstream release-4.19 branch using npm ci under both Node 22 and Node 18. The failure occurred identically on the unmodified baseline branch, confirming that it predates and is unrelated to this change.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.