Axios Supply Chain Incident: Your Strapi Project Is Safe

You may have seen recent reports about a supply chain security concern affecting certain versions of the axios HTTP library (versions greater than 1.14.0). We want to be transparent with the Strapi community: we investigated every repository in the Strapi GitHub organization, and none of them use an affected version of axios.

What happened?

A supply chain incident was identified affecting axios versions above 1.14.0. Supply chain attacks target the software packages that developers depend on, and when a widely-used library like axios is involved, it understandably raises concern.

Is my Strapi project affected?

If you are running a default Strapi installation, the answer is no.

We conducted a thorough audit across every repository in the Strapi GitHub organization. Here is what we found:

• Strapi core (strapi/strapi) pins axios at 1.13.5, with some transitive dependencies resolving to 1.13.6. Both versions are well below the affected range.
• Strapi documentation (strapi/documentation) resolves axios at 1.9.0.
• SDK plugin (strapi/sdk-plugin) and pack-up (strapi/pack-up) do not use axios at all.

In short: no Strapi repository resolves an axios version greater than 1.14.0.

When could you be affected?

There is one scenario where your Strapi project could be at risk:

If you manually installed or upgraded axios to a version above 1.14.0 in your project. This would only happen if you explicitly added or overrode the axios version yourself, for example, for custom plugins, middleware, or API integrations outside of what Strapi provides by default.

If you are unsure, you can check by running the following command in your project directory:

# For yarn projects
yarn why axios

# For npm projects
npm ls axios

# For pnpm projects
pnpm why axios

If the output shows any axios version greater than 1.14.0, you should downgrade to 1.13.6 or lower until an official fix is available.

What should you do?

• Default Strapi users: No action is needed. Your project is not affected.
• Custom axios installations: If you added axios independently to your project, check the resolved version and downgrade if it exceeds 1.14.0.
• Stay updated: Keep your Strapi installation up to date. We actively monitor our dependency tree for security issues.

Our commitment

Security is a priority for the Strapi team. We maintain pinned and locked dependency versions across all of our repositories to prevent exactly this kind of issue from reaching our users. We will continue to monitor the situation and will communicate any changes if the advisory scope evolves.

If you have questions or concerns, please reach out through our community Discord or GitHub discussions.

Note: Our internal Strapi AI and Strapi Cloud repositories were also audited and verified not to be impacted by this incident. We are unable to share specific dependency details for those projects, but can confirm they do not resolve any axios version in the affected range.