fix(orchestrator): update axios dependencies (#2767)

[lholmquist]

Hey, I just made a Pull Request!

This is the manual cherry-pick of #2767

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (0)   📎 Requirement gaps (0)

🐞\ ⛨ Security (1)

1. Old axios still installed 🐞 ⛨

Description

The orchestrator workspace still pulls in axios@1.13.2 via @openapitools/openapi-generator-cli even
after bumping direct deps to ^1.15.0, so installs still include an older axios version. This
undermines the stated goal of updating axios for CVE remediation and may keep vulnerability scanners
failing.

Code

workspaces/orchestrator/plugins/orchestrator-common/package.json[61]

+    "axios": "^1.15.0",

Relevance

⭐⭐⭐ High

CVE remediation PRs expect lockfile to eliminate vulnerable versions; leaving axios 1.13.2 would
fail scanners.

PR-#2767
PR-#1842
PR-#2046

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The changeset explicitly states this change is for an axios CVE update. However, in the orchestrator
workspace lockfile, @openapitools/openapi-generator-cli is pinned to axios 1.13.2, and yarn.lock
contains both axios 1.13.2 and 1.15.0 entries—meaning the workspace still installs the older axios
version.

workspaces/orchestrator/.changeset/lucky-cars-study.md[1-7]
workspaces/orchestrator/plugins/orchestrator-common/package.json[57-70]
workspaces/orchestrator/yarn.lock[9993-10002]
workspaces/orchestrator/yarn.lock[17815-17835]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
This PR bumps direct axios dependencies to `^1.15.0`, but `workspaces/orchestrator/yarn.lock` still installs `axios@1.13.2` via `@openapitools/openapi-generator-cli`. As a result, the orchestrator workspace still contains an older axios version even after this update.

## Issue Context
- `@openapitools/openapi-generator-cli@2.25.2` is a devDependency and is locked to `axios: 1.13.2` in the workspace lockfile.
- The changeset message indicates the intent is CVE remediation.

## Fix Focus Areas
- Update the devDependency that pins axios, and/or force a workspace-wide axios version:
 - workspaces/orchestrator/plugins/orchestrator-common/package.json[64-70]
 - workspaces/orchestrator/package.json[52-60]
- Regenerate the lockfile after the dependency/resolution change:
 - workspaces/orchestrator/yarn.lock[9993-10002]
 - workspaces/orchestrator/yarn.lock[17815-17835]

## Suggested approaches
1) Preferably bump `@openapitools/openapi-generator-cli` to a version that depends on a non-vulnerable axios.
2) If upgrading isn’t feasible, add a `resolutions` entry for `axios` in `workspaces/orchestrator/package.json` to enforce `axios@^1.15.0`, then run `yarn --cwd workspaces/orchestrator install` (and commit the updated `yarn.lock`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

Review Summary by Qodo

Update axios dependencies to fix CVE-2026-40175

🐞 Bug fix

Walkthroughs

Description

• Update axios dependency from ^1.11.0 to ^1.15.0
• Addresses CVE-2026-40175 security vulnerability
• Applied across three orchestrator packages
• Added changeset documenting patch version updates

Diagram

flowchart LR
  CVE["CVE-2026-40175<br/>Security Vulnerability"]
  AXIOS["axios ^1.11.0<br/>to ^1.15.0"]
  PKG1["orchestrator-common"]
  PKG2["orchestrator"]
  PKG3["scaffolder-backend-module-orchestrator"]
  CHANGESET["Changeset<br/>patch updates"]
  
  CVE -- "fix" --> AXIOS
  AXIOS -- "update" --> PKG1
  AXIOS -- "update" --> PKG2
  AXIOS -- "update" --> PKG3
  PKG1 --> CHANGESET
  PKG2 --> CHANGESET
  PKG3 --> CHANGESET

Loading

File Changes

1. workspaces/orchestrator/.changeset/lucky-cars-study.md 📝 Documentation +7/-0

Add changeset for axios CVE fix

• Created new changeset file documenting the axios security fix
• Marks patch version updates for three orchestrator packages
• References CVE-2026-40175 vulnerability

workspaces/orchestrator/.changeset/lucky-cars-study.md

---

2. workspaces/orchestrator/plugins/orchestrator-common/package.json Dependencies +1/-1

Update axios dependency version

• Updated axios dependency from ^1.11.0 to ^1.15.0
• Addresses security vulnerability in axios package

workspaces/orchestrator/plugins/orchestrator-common/package.json

---

3. workspaces/orchestrator/plugins/orchestrator/package.json Dependencies +1/-1

Update axios dependency version

• Updated axios dependency from ^1.11.0 to ^1.15.0
• Addresses security vulnerability in axios package

workspaces/orchestrator/plugins/orchestrator/package.json

---

View more (1)

4. workspaces/orchestrator/plugins/scaffolder-backend-module-orchestrator/package.json Dependencies +1/-1

Update axios dependency version

• Updated axios dependency from ^1.11.0 to ^1.15.0
• Addresses security vulnerability in axios package

workspaces/orchestrator/plugins/scaffolder-backend-module-orchestrator/package.json

---