Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update axios dependency to 1.6.5 #323

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

ahmedtausif
Copy link

This PR updates axios package to 1.6.5 to address

  1. axios Prototype Pollution Vulnerability.
  2. follow-redirects Improper Input Validation Vulnerability

Ran following commands:

  • yarn test
  • yarn lint
  • yarn compile

@eithe
Copy link
Contributor

eithe commented Feb 26, 2024

@robinheinze Any chance this could be merged and released?

We've had to disable npm audit on PRs due to this (since it reports Severity: moderate Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc)

@atrinidad-hu
Copy link

Are there any updates on this?

@janwiebe-jump
Copy link

According to CVE-2024-39338 we should update to 1.7.4 or higher

@eithe
Copy link
Contributor

eithe commented Sep 6, 2024

I'm at the React Universe conference and Infinite Red has a stand here, I'll try to nag them about this later :)

@eithe
Copy link
Contributor

eithe commented Sep 6, 2024

They are open to complete this, but with this new info on 1.7.4 instead of 1.6.5, the PR should perhaps be updated if the OP is still around? If not perhaps create a new one?

@eithe
Copy link
Contributor

eithe commented Sep 6, 2024

According to CVE-2024-39338 we should update to 1.7.4 or higher

Back on my laptop now. I did not spot it on my mobile, but I see that it is a different issue than this was originally about (GHSA-jchw-25xp-jwwc), but I don't see any breaking changes in the axios changelog so it would be cool to just go all the way to latest 1.7.x.

@ahmedtausif You around?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants