NONJAVACLI-4353: bump axios and pin transitive deps for CVE fixes

[Devarsh Patel (Devarsh010)]

What

Patches CVEs flagged by Trivy and npm audit against confluent-kafka-javascript v1.9.0. Primarily package.json overrides + direct dep bumps. One small TS adjustment in aes_siv.ts and a devDep pin on ts-jest are included as a separate commit to unblock CI from regressions surfaced by the lockfile regen (see Notes below).

Direct dep bumps

• schemaregistry/package.json — axios ^1.13.5 → ^1.15.0
• schemaregistry-examples/package.json — axios ^1.13.5 → ^1.15.0
• package.json (root) — ts-jest ^29.2.5 → 29.4.9 (exact pin)
• schemaregistry/package.json — ts-jest ^29.2.4 → 29.4.9 (exact pin)

Root overrides block added to pin vulnerable transitive deps to patched versions. Overrides live only in the root package.json because npm honors overrides only at the top of the project — duplicating them in workspace package.json files would be silently ignored.

Package	Pinned to	CVE / Advisory
axios	^1.15.0	CVE-2025-62718, CVE-2026-40175 (CRITICAL)
follow-redirects	>=1.16.0	GHSA-r4q5-vmmm-2653 (MEDIUM)
@tootallnate/once	>=3.0.1	npm audit (chain via @google-cloud/kms)
serialize-javascript	>=7.0.5	GHSA-5c6j-r48x-rmvq (HIGH)
tar	>=7.5.10	npm audit (HIGH)
underscore	>=1.13.8	npm audit (HIGH)
lodash	>=4.18.0	npm audit
protobufjs	^7.5.5	npm audit (kept in 7.x for google-gax peer dep)
diff	>=8.0.3	npm audit

Lockfile regenerated against registry.npmjs.org.

Notes on deliberate omissions

• fast-xml-parser (vulnerable range 5.0.0–5.3.7) is not pinned. The @aws-sdk/xml-builder peer dep naturally resolves it to 5.5.8, which is past the vulnerable range. Adding an override forced version conflicts with @aws-sdk's exact peer requirement during testing — minimum-necessary-intervention.
• mocha is not downgraded. npm audit fix --force would have downgraded mocha to 7.2.0 (a breaking change) to escape vulnerable serialize-javascript@6.x. Our serialize-javascript override pins the transitive directly while leaving mocha at 10.8.2.

Notes on CI unblock (commit ad7a514)
The lockfile regen pulled in @types/node 20.19.41 (within ^20.16.1) and ts-jest 29.4.10 (within ^29.2.4) — both unrelated to the CVE work but they surfaced pre-existing fragility in the schemaregistry workspace:

• aes_siv.ts: @types/node 20.19.41 made Uint8Array generic (Uint8Array<ArrayBufferLike>), so miscreant's seal/open return type no longer assigned to our declared Uint8Array<ArrayBuffer>. Fixed by wrapping the returns in new Uint8Array(...) to materialize a fresh ArrayBuffer-backed copy, and swapping @ts-expect-error → @ts-ignore (raw tsc still can't resolve miscreant's types because its exports map omits the "types" condition).
• ts-jest 29.4.10 has a nodenext subpath-resolution regression that breaks @criteria/json-schema/draft-{07,2020-12} imports. 29.4.9 is the latest known-good; pinned exactly until upstream ships a fix.

Neither bug is caused by our CVE changes — they would have surfaced on the next Renovate-triggered lockfile bump regardless. No functional behavior change (the new Uint8Array(...) wrap is byte-equivalent).

Checklist

• Contains customer facing changes? Including API/behavior changes
  • No. Dependency version bumps only; no public API or runtime behavior changes. The aes_siv.ts change preserves the existing Uint8Array<ArrayBuffer> public signature and is byte-equivalent at runtime.
• Did you add sufficient unit test and/or integration test coverage for this PR?
  • No new tests added — this is a pure dependency-patch PR with no new behavior. Verified existing test suites still pass on the patched dependency tree (see Test & Review below).

References

JIRA:
https://confluentinc.atlassian.net/browse/NONJAVACLI-4353
https://confluentinc.atlassian.net/browse/NONJAVACLI-4328

Test & Review

All run locally on macOS arm64 against a clean node_modules and lockfile regenerated against registry.npmjs.org:

Check	Result
npm audit --registry=https://registry.npmjs.org/	0 vulnerabilities
make lint (cpplint + eslint)	clean
make test (root mocha unit)	78/78 passing
cd schemaregistry && make test (jest unit)	204/204 passing
cd schemaregistry && make integtest (real Kafka + Schema Registry via docker-compose)	46/46 passing
make promisified_test (Kafka client jest e2e against real broker)	219/224 passing (5 expected skips)

547 tests run, 542 passed, 5 expected skips, 0 unexpected failures.

[Copilot]

Pull request overview

Updates dependency versions to address CVEs flagged by Trivy / npm audit across the monorepo, primarily by bumping axios and adding root-level npm overrides, then regenerating the lockfile.

Changes:

• Bump axios to ^1.15.0 in schemaregistry and schemaregistry-examples.
• Add a root overrides block to force patched transitive dependency versions.
• Regenerate package-lock.json to reflect the patched dependency tree.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File	Description
schemaregistry/package.json	Bumps direct axios dependency to a patched release.
schemaregistry-examples/package.json	Bumps dev axios dependency to a patched release.
package.json	Adds root npm overrides to enforce patched transitive versions.
package-lock.json	Lockfile regeneration reflecting the new overrides and updated transitive graph.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new overrides are described as “pinning transitive deps”, but several entries use open-ended ranges (>=... / ^...). That can allow unexpected future major upgrades to enter the tree without a repo change, and reduces reproducibility. Consider switching these overrides to exact versions or upper-bounded ranges so they’re actually pinned to a reviewed set.