Support Bulletin: Contrast Node Agent — Axios Dependency Pinned to 1.12.2
Published: March 31, 2026 | Severity: Informational | Affected: Node Agent customers
Summary
Recent reports have identified compromised versions of the popular axios library (versions 1.14.1 and 0.30.4). Contrast Security Node agent users are not affected. Our agent never included the compromised versions, and we have proactively released Node agent version 5.53.1 with the axios dependency hard-pinned to exactly 1.12.2 to eliminate any future supply chain risk.
Are Contrast Customers Affected?
No. The Contrast Node agent specified its axios dependency as ^1.12.2, which npm resolves to >=1.12.2 <1.13.0. This range never included version 1.14.1 — the identified compromised release. Your applications were not at risk.
What We Did
As a proactive measure, we released Node agent version 5.53.1 with the axios dependency hard-pinned to exactly 1.12.2. While our existing configuration was already secure, hard-pinning eliminates any floating range ambiguity and ensures absolute clarity for your environment going forward.
What You Should Do
Recommended: Update your Contrast Node agent to version 5.53.1.
To independently verify the update in your environment, inspect your lockfile for the axios resolution. After updating, it should show axios pinned to exactly 1.12.2.
Background: Why This Matters
Supply chain vulnerabilities often thrive on unverified assumptions. Even when a dependency range appears safe, floating version specifiers (^ or ~) can introduce risk if a future compromised version falls within the resolution range. Hard-pinning removes that ambiguity entirely and is consistent with the high security standard we maintain for our customers.
Questions?
If you have any questions or would like to discuss our analysis further, please contact us at support@contrastsecurity.com or open a ticket through the Support Portal.