From 42b215406e4d89b6300c1dfe912baf015fef226c Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Apr 2026 20:01:00 +0200 Subject: [PATCH] docs(threatmodel): clarify TLS and tag-replay threat wording (#10722) * Initial plan * docs(threatmodel): clarify certificate and tag-publish wording Agent-Logs-Url: https://github.com/axios/axios/sessions/128b91a1-0b90-4863-9a7e-323d65db5462 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Jay --- THREATMODEL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/THREATMODEL.md b/THREATMODEL.md index 9de6c5b9..ae86bb7b 100644 --- a/THREATMODEL.md +++ b/THREATMODEL.md @@ -149,7 +149,7 @@ The runtime model is general by design - axios is a transport library and cannot | | | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------ | -| **Description** | Caller passes `httpsAgent: new https.Agent({ rejectUnauthorized: false })` to "fix" a cert error in dev, ships it to prod. | +| **Description** | Caller passes `httpsAgent: new https.Agent({ rejectUnauthorized: false })` to "fix" a certificate error in dev, ships it to prod. | | **Likelihood** | Medium (very common copy-paste anti-pattern) | | **Impact** | High (silent MITM) | | **In scope?** | **No.** axios delegates TLS entirely to Node's `https` module / the browser. We do not inspect or warn on agent configuration. | @@ -402,7 +402,7 @@ This is the model that protects **what gets published as `axios` on npm**. A suc | | | | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Description** | Attacker with write access force-pushes an existing tag to point at a malicious commit, or pushes `v1.99.99` to publish out of band. | +| **Description** | Attacker with write access force-pushes an existing tag to point at a malicious commit, or pushes `v1.99.99` so that a release is published out of band. | | **Likelihood** | Low (requires write access - assumed compromised at that point) | | **Impact** | High | | **Mitigations** | • npm rejects re-publishing an existing version - re-tagging you cannot overwrite the published `1.15.0`.
• Provenance attestation records the commit SHA the tag pointed to _at publish time_ - forensically verifiable.
• GitHub tag protection rules can prevent tag deletion/force-push. |