✨ Strapi MCP is now Generally Available - let your agents manage your Strapi content ✨

3 min read

Axios Supply Chain Incident: Your Strapi Project Is Safe

March 31, 2026Updated on June 14, 2026
Axios Supply Chain Incident: Your Strapi Project Is Safe

You may have seen recent reports about a supply chain security concern affecting certain versions of the axios HTTP library (versions greater than 1.14.0). We want to be transparent with the Strapi community: we investigated every repository in the Strapi GitHub organization, and none of them use an affected version of axios.

What happened?

A supply chain incident was identified affecting axios versions above 1.14.0. Supply chain attacks target the software packages that developers depend on, and when a widely-used library like axios is involved, it understandably raises concern.

Is my Strapi project affected?

If you are running a default Strapi installation, the answer is no.

We conducted a thorough audit across every repository in the Strapi GitHub organization. Here is what we found:

In short: no Strapi repository resolves an axios version greater than 1.14.0.

When could you be affected?

There is one scenario where your Strapi project could be at risk:

If you manually installed or upgraded axios to a version above 1.14.0 in your project. This would only happen if you explicitly added or overrode the axios version yourself, for example, for custom plugins, middleware, or API integrations outside of what Strapi provides by default.

If you are unsure, you can check by running the following command in your project directory:

# For yarn projects
yarn why axios

# For npm projects
npm ls axios

# For pnpm projects
pnpm why axios

If the output shows any axios version greater than 1.14.0, you should downgrade to 1.13.6 or lower until an official fix is available.

What should you do?

  • Default Strapi users: No action is needed. Your project is not affected.
  • Custom axios installations: If you added axios independently to your project, check the resolved version and downgrade if it exceeds 1.14.0.
  • Stay updated: Keep your Strapi installation up to date. We actively monitor our dependency tree for security issues.

Our commitment

Security is a priority for the Strapi team. We maintain pinned and locked dependency versions across all of our repositories to prevent exactly this kind of issue from reaching our users. We will continue to monitor the situation and will communicate any changes if the advisory scope evolves.

If you have questions or concerns, please reach out through our community Discord or GitHub discussions.


Note: Our internal Strapi AI and Strapi Cloud repositories were also audited and verified not to be impacted by this incident. We are unable to share specific dependency details for those projects, but can confirm they do not resolve any axios version in the affected range.

Derrick Mehaffy Support Engineer Team Lead

Related Posts

ProductBeginner·3 min read

We're removing the Free plan from Strapi Cloud

We're making Strapi Cloud better, and that means being honest about what hasn't been working. When we launched the Free...

·July 13, 2026
mcp server
Product·8 min read

The Strapi MCP server is now GA: a stable surface to wire agents to your content

Two months ago, the story was quiet quality work: the unglamorous fixing of small things that quietly get in the way of...

·June 29, 2026
Strapi June Community Call Recap
Beginner·8 min read

Strapi June Community Call Recap - Updates, news, Strapi MCP in GA.

TL;DR The call had two parts: quality work on the core, and new AI features. The main one is the native MCP server,...

·June 29, 2026