Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability in '[email protected]' #161

Open
hsnabsmryum opened this issue Oct 24, 2024 · 0 comments
Open

Security vulnerability in '[email protected]' #161

hsnabsmryum opened this issue Oct 24, 2024 · 0 comments

Comments

@hsnabsmryum
Copy link

hsnabsmryum commented Oct 24, 2024
edited
Loading

[email protected] (the latest version at the time of writing this issue) depends on a specific version of axios without ^ or ~ markers:

https://github.com/saucelabs/network-viewer/blob/2.4.4/package.json#L47

[email protected] has a known vulnerability: Axios Cross-Site Request Forgery Vulnerability

It has been fixed in [email protected] and I understand that I can override this with resolutions in my package.json, but seeing this much strictness in network-viewer's package.json makes me believe that it wasn't meant to be upgraded?

At the very least, it tells me that network-viewer hasn't been tested with [email protected], so even if I override it via resolutions, I don't have enough confidence that I won't break anything, besides the following warning:

warning Resolution field "[email protected]" is incompatible with requested version "[email protected]"

Minimal project to reproduce the audit report:

yarn init --yes
yarn add [email protected]
yarn audit

Output:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Axios Cross-Site Request Forgery Vulnerability               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.28.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ network-viewer                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ network-viewer > axios                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1097679                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 98
Severity: 1 Moderate

Same things in npm:

npm init --yes
npm install [email protected]
npm audit

Specifications

  • Version: v2.4.4
  • Platform: macOS
  • Subsystem: Node.js v20.17.0 - yarn v1.22.19
@hsnabsmryum hsnabsmryum changed the title Security vulnerability in '[email protected]` Security vulnerability in '[email protected]' Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hsnabsmryum