Outdated dependencies with moderate severity security issues (CVE-2023-45857)
JamesBurnside opened this issue · comments
tl;dr - wait-on dependency needs updated to update axios sub-dependency version
Describe the bug
Nested dependency axios needs updated for CVE-2023-45857 (axios/axios#6006) this is fixed in axios.
This dependency appears to stem from the wait-on package that has since updated to fix this: jeffbski/wait-on#147
Expected outcome
Update wait-on dependency to v7.2.0+
update-notifier also needs update:
yeoman/update-notifier#218
Fixed in 6.0.0 (Jun 23, 2022), latest version 7.0.0 (Oct 27, 2023).
Complete audit report:
axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @azure/static-web-apps-cli@0.2.1, which is a breaking change
node_modules/axios
wait-on 5.0.0-rc.0 - 7.1.0
Depends on vulnerable versions of axios
node_modules/wait-on
@azure/static-web-apps-cli >=0.3.0
Depends on vulnerable versions of update-notifier
Depends on vulnerable versions of wait-on
node_modules/@azure/static-web-apps-cli
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @azure/static-web-apps-cli@0.2.1, which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
Let's generalize this and ensure all "npm audit" packages are upgraded.