Skip to content
This repository has been archived by the owner on May 16, 2024. It is now read-only.

Depends on vulnerable versions of axios #381

Open
flyinghail opened this issue Nov 10, 2023 · 3 comments
Open

Depends on vulnerable versions of axios #381

flyinghail opened this issue Nov 10, 2023 · 3 comments

Comments

@flyinghail
Copy link

Issue tracker is ONLY used for reporting bugs.

Expected Behavior

Don't show vulnerabilities in dependencies

Current Behavior

npm i

3 moderate severity vulnerabilities

npm audit

# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/@imtbl/core-sdk/node_modules/axios
  @imtbl/core-sdk  *
  Depends on vulnerable versions of axios
  node_modules/@imtbl/core-sdk
    @imtbl/sdk  *
    Depends on vulnerable versions of @imtbl/core-sdk
    node_modules/@imtbl/sdk

Possible Solution

Upgrade axios to a new version

Steps to Reproduce

  1. npm i @imtbl/sdk
  2. npm audit

Context (Environment)

windows 11
node v20.9.0

Detailed Description

Possible Implementation
@CodeSchwert
Copy link
Contributor

Dependabot alert: https://github.com/immutable/imx-core-sdk/security/dependabot/43

@CodeSchwert
Copy link
Contributor

CodeSchwert commented Jan 15, 2024
edited
Loading

@flyinghail Axios was patched in this PR (immutable/ts-immutable-sdk#1320). The latest version of the SDK should include the fix.

@flyinghail
Copy link
Author

@imtbl/core-sdk depends on "axios":"^0.26.1". Not fixed yet.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flyinghail @CodeSchwert