[Aikido] Fix 5 security issues in esbuild, axios

[aikido-autofix]

Upgrade esbuild and axios to fix RCE via binary execution without integrity verification, credential leakage on cross-origin redirects, path traversal on Windows, and malformed URL bypass vulnerabilities.

✅ Code not affected by breaking changes.

✅ No breaking changes from either package upgrade affect this codebase.

esbuild (0.28.0 => 0.28.1):

• The codebase does not use esbuild's local development server

• No custom package registries (NPM_CONFIG_REGISTRY) are configured

axios (1.16.1 => 1.18.0):

• All axios requests use properly formatted URLs with https:// followed by //

• All validateStatus options are explicitly defined as functions, never set to undefined

All breaking changes by upgrading esbuild from version 0.28.0 to 0.28.1 (CHANGELOG)

Version	Description
0.28.1	HTTP requests with paths containing \ backslash characters are no longer allowed in the local development server
0.28.1	The esbuild executable served by custom package registries (via NPM_CONFIG_REGISTRY) must now match the expected content due to integrity checks in the Deno API

All breaking changes by upgrading axios from version 1.16.1 to 1.18.0 (CHANGELOG)

Version	Description
1.18.0	Malformed http: and https: URLs that omit // are now rejected with ERR_INVALID_URL, whereas they may have been accepted previously.
1.18.0	validateStatus: undefined behavior changed to require opt-in via transitional.validateStatusUndefinedResolves to be treated like the option was omitted; without the opt-in, the behavior differs from previous versions.

✅ 5 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-445064	HIGH	[esbuild] A vulnerability allows attackers to redirect binary downloads to malicious sources by manipulating the NPM_CONFIG_REGISTRY environment variable, enabling remote code execution since downloaded binaries lack SHA-256 integrity verification before execution.
GHSA-g7r4-m6w7-qqqr	LOW	[esbuild] A path traversal vulnerability in the development server on Windows allows attackers to bypass directory containment using backslash characters, enabling arbitrary file read access outside the configured servedir root directory.
AIKIDO-2026-725219	LOW	[esbuild] Path traversal vulnerability in the local development server on Windows allows attackers to escape the configured servedir and read arbitrary files using backslash separators in request paths.
AIKIDO-2026-291630	HIGH	[axios] Cross-origin redirects leak custom credential headers like X-API-Key and AWS tokens to unintended hosts, allowing attackers to steal sensitive authentication data. This information disclosure vulnerability affects shared environments where secret headers are set by default.
AIKIDO-2026-38469	MEDIUM	[axios] Malformed HTTP/HTTPS URLs without // (e.g., https:internal.example) were silently normalized instead of rejected, allowing attackers to bypass URL allowlists or WAF checks and reach unintended hosts. The fix now throws an error for invalid scheme URLs before normalization.

🤖 Remediation details

Fix security vulnerabilities in esbuild and axios (lockfile-only update)

Short summary

This PR remediates high- and medium-severity vulnerabilities in two packages: esbuild (multiple CVEs affecting versions [0.17.0, 0.28.0]) and axios (multiple CVEs affecting versions [0.19.1, 1.17.0]). Both packages are transitive/workspace dependencies resolved through workspace member manifests (packages/constructs/esbuild, packages/cdk-aspects, packages/constructs/header-change-detection, packages/constructs/prerender-proxy). Because the existing parent semver ranges already admitted the patched versions, the fix required only a yarn.lock refresh — no package.json files were modified.

esbuild

esbuild is pulled in as a direct dependency of two workspace packages: @aligent/cdk-esbuild (packages/constructs/esbuild) and @aligent/cdk-aspects (packages/cdk-aspects), both declaring "esbuild": "^0.28.0". The lockfile had resolved this range to 0.28.0, which falls within the vulnerable range. Because ^0.28.0 already permits 0.28.1 (the minimum patched version), no manifest change was needed — running yarn up -R esbuild --mode=update-lockfile was sufficient to advance the single shared lockfile entry to 0.28.1.

axios

axios is a direct dependency of two workspace packages: @aligent/cdk-header-change-detection (packages/constructs/header-change-detection) and @aligent/cdk-prerender-proxy (packages/constructs/prerender-proxy), both declaring "axios": "^1.16.0". It is also a transitive dependency of nx@20.8.4 (spec ^1.8.3). The lockfile had resolved the shared entry to 1.16.1, which falls within the vulnerable range. The ^1.16.0 range already permits 1.18.0 (the minimum patched version), so running yarn up -R axios --mode=update-lockfile advanced the resolved version to 1.18.0 without any manifest edits.

Version changes

Package	From	To	Why updated
esbuild	0.28.0	0.28.1	Direct CVE fix — lockfile refresh within existing ^0.28.0 range
@esbuild/aix-ppc64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/android-arm	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/android-arm64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/android-x64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/darwin-arm64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/darwin-x64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/freebsd-arm64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/freebsd-x64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/linux-arm	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/linux-arm64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/linux-ia32	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/linux-loong64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/linux-mips64el	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/linux-ppc64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/linux-riscv64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/linux-s390x	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/linux-x64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/netbsd-arm64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/netbsd-x64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/openbsd-arm64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/openbsd-x64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/sunos-x64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/win32-arm64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/win32-ia32	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
@esbuild/win32-x64	0.28.0	0.28.1	Lockfile refresh — platform-specific esbuild optional package
axios	1.16.1	1.18.0	Direct CVE fix — lockfile refresh within existing ^1.16.0 range