⚠️ Axios Compromised, Meteor 3.4 affected?

onedurr · March 31, 2026, 2:42pm

I don’t have any direct Axios dependencies, but in searching my system saw that Meteor 3.4 does through rspack (@rsdoctor/rspack-plugin).

rsdoctor have already patched with 1.5.7

To be safe, I added the following to my package.json:

"overrides": {
    "axios": "1.14.0"
  }

and pinned

"devDependencies": {
    "@rsdoctor/rspack-plugin": "1.5.7",
  },

Don’t know if more needs to be done. The first link has steps to check if your system was affected.

nachocodoner · March 31, 2026, 3:01pm

Thanks for the report.

We will ensure that in the next Meteor 3.4.1 release, @rsdoctor/rspack-plugin is set to at least version 1.5.7. This way, any Meteor app will get the update automatically when running meteor update --npm or when starting the app with the new Meteor version.