From bfe593ae5261997f971785ef7a2c108f39d38f09 Mon Sep 17 00:00:00 2001
From: Elian Doran <contact@eliandoran.me>
Date: Fri, 10 Apr 2026 09:59:51 +0300
Subject: [PATCH] feat(server): remove axios

---
 apps/server/package.json                      |  1 -
 .../server/src/services/backend_script_api.ts | 18 ++++++++-----
 pnpm-lock.yaml                                | 26 ++-----------------
 3 files changed, 14 insertions(+), 31 deletions(-)

diff --git a/apps/server/package.json b/apps/server/package.json
index d8b1af5e72..53822a8e05 100644
--- a/apps/server/package.json
+++ b/apps/server/package.json
@@ -78,7 +78,6 @@
     "@types/xml2js": "0.4.14",
     "archiver": "7.0.1",
     "async-mutex": "0.5.0",
-    "axios": "1.14.0",
     "chardet": "2.1.1",
     "cheerio": "1.2.0",
     "chokidar": "5.0.0",
diff --git a/apps/server/src/services/backend_script_api.ts b/apps/server/src/services/backend_script_api.ts
index 3eff3cc355..3cbee3906a 100644
--- a/apps/server/src/services/backend_script_api.ts
+++ b/apps/server/src/services/backend_script_api.ts
@@ -1,7 +1,6 @@
 import type { AttributeRow } from "@triliumnext/commons";
 import { dayjs } from "@triliumnext/commons";
 import { formatLogMessage } from "@triliumnext/commons";
-import axios from "axios";
 import * as cheerio from "cheerio";
 import xml2js from "xml2js";
 
@@ -81,10 +80,10 @@ export interface Api {
     originEntity?: AbstractBeccaEntity<any> | null;
 
     /**
-     * Axios library for HTTP requests. See {@link https://axios-http.com} for documentation
-     * @deprecated use native (browser compatible) fetch() instead
+     * @deprecated Axios was deprecated since April 2024 and has now been removed following the March 2026 supply chain attack.
+     * Use the native fetch() API instead.
      */
-    axios: typeof axios;
+    axios: undefined;
 
     /**
      * day.js library for date manipulation. See {@link https://day.js.org} for documentation
@@ -441,7 +440,14 @@ function BackendScriptApi(this: Api, currentNote: BNote, apiParams: ApiParams) {
         (this as any)[key] = apiParams[key as keyof ApiParams];
     }
 
-    this.axios = axios;
+    // Throw when axios is used (removed after 2 years of deprecation + supply chain attack)
+    const axiosError = () => {
+        throw new Error("api.axios was deprecated since 2024 and has been removed following the March 2026 npm supply chain compromise. Please update your script to use the native fetch() API.");
+    };
+    this.axios = new Proxy(axiosError, {
+        get: axiosError,
+        apply: axiosError
+    }) as unknown as undefined;
     this.dayjs = dayjs;
     this.xml2js = xml2js;
     this.cheerio = cheerio;
@@ -697,7 +703,7 @@ function BackendScriptApi(this: Api, currentNote: BNote, apiParams: ApiParams) {
             return params.map((p) => {
                 if (typeof p === "function") {
                     return `!@#Function: ${p.toString()}`;
-                } 
+                }
                 return p;
             });
         }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 26c874c4f7..839610fad7 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -700,9 +700,6 @@ importers:
       async-mutex:
         specifier: 0.5.0
         version: 0.5.0
-      axios:
-        specifier: 1.14.0
-        version: 1.14.0(debug@4.4.3)
       chardet:
         specifier: 2.1.1
         version: 2.1.1
@@ -6990,9 +6987,6 @@ packages:
     resolution: {integrity: sha512-zJAaP9zxTcvTHRlejau3ZOY4V7SRpiByf3/dxx2uyKxxor19tpmpV2QRsTKikckwhaPmr2dVpxxMr7jOCYVp5g==}
     engines: {node: '>=6.0.0'}
 
-  axios@1.14.0:
-    resolution: {integrity: sha512-3Y8yrqLSwjuzpXuZ0oIYZ/XGgLwUIBU3uLvbcpb0pidD9ctpShJd43KSlEEkVQg6DS0G9NKyzOvBfUtDKEyHvQ==}
-
   b4a@1.6.7:
     resolution: {integrity: sha512-OnAYlL5b7LEkALw87fUVafQw5rVR9RjwGd4KUwNQ6DrrNmaVaUCgLipfVlzrPQ4tWOR9P0IXGNOx50jYCCdSJg==}
 
@@ -11764,10 +11758,6 @@ packages:
   proxy-from-env@1.1.0:
     resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==}
 
-  proxy-from-env@2.1.0:
-    resolution: {integrity: sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==}
-    engines: {node: '>=10'}
-
   prr@1.0.1:
     resolution: {integrity: sha512-yPw4Sng1gWghHQWj0B3ZggWUm4qVbPwPFcRG8KyxiU7J2OHFSoEHKS+EZ3fv5l1t9CyCiop6l/ZYeWbrgoQejw==}
 
@@ -21783,14 +21773,6 @@ snapshots:
 
   await-to-js@3.0.0: {}
 
-  axios@1.14.0(debug@4.4.3):
-    dependencies:
-      follow-redirects: 1.15.11(debug@4.4.3)
-      form-data: 4.0.5
-      proxy-from-env: 2.1.0
-    transitivePeerDependencies:
-      - debug
-
   b4a@1.6.7: {}
 
   babel-plugin-transform-hook-names@1.0.2(@babel/core@7.29.0):
@@ -24261,9 +24243,7 @@ snapshots:
       imul: 1.0.1
     optional: true
 
-  follow-redirects@1.15.11(debug@4.4.3):
-    optionalDependencies:
-      debug: 4.4.3
+  follow-redirects@1.15.11: {}
 
   for-each@0.3.5:
     dependencies:
@@ -24984,7 +24964,7 @@ snapshots:
   http-proxy@1.18.1:
     dependencies:
       eventemitter3: 4.0.7
-      follow-redirects: 1.15.11(debug@4.4.3)
+      follow-redirects: 1.15.11
       requires-port: 1.0.0
     transitivePeerDependencies:
       - debug
@@ -27567,8 +27547,6 @@ snapshots:
 
   proxy-from-env@1.1.0: {}
 
-  proxy-from-env@2.1.0: {}
-
   prr@1.0.1:
     optional: true