[3 moderate severity vulnerabilities when running npm audit] CodeceptJS package dependency 'openai v3.2.1' is using outdated version of axios with known vulnerability
muiboonyang opened this issue · comments
What are you trying to achieve?
0 vulnerabilities when running 'npm audit' command
What do you get instead?
3 moderate severity vulnerabilities
Provide console output if related. Use
--verbose
mode for more details.
$ npm audit
npm audit report
axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install codeceptjs@3.4.1, which is a breaking change
node_modules/openai/node_modules/axios
openai 2.0.0 - 3.3.0
Depends on vulnerable versions of axios
node_modules/openai
codeceptjs >=3.5.0
Depends on vulnerable versions of openai
node_modules/codeceptjs
3 moderate severity vulnerabilities
Provide test source code if related
// NA
Details
- CodeceptJS version: 3.5.13
- NodeJS Version: 20.11.1
- Operating System: Windows, macOS
- puppeteer || webdriverio || testcafe version (if related): N/A, using playwright 1.41.2
- Configuration file:
"node_modules/codeceptjs": {
"version": "3.5.13",
"resolved": "https://registry.npmjs.org/codeceptjs/-/codeceptjs-3.5.13.tgz",
"integrity": "sha512-Q3HdNkF8jUW5mnqmYl5XtUA+DIJNRrsea2F/SfRzYSZA1yixdBulS6Y+OhWsTcL7c5p5kSPNOLM3x9tawN4hoQ==",
"dev": true,
"dependencies": {
"@codeceptjs/configure": "0.10.0",
"@codeceptjs/helper": "2.0.1",
"@cucumber/cucumber-expressions": "17",
"@cucumber/gherkin": "26",
"@cucumber/messages": "24.0.1",
"@xmldom/xmldom": "0.8.10",
"acorn": "8.11.3",
"arrify": "2.0.1",
"axios": "1.6.7",
"chai": "5.0.3",
"chai-deep-match": "1.2.1",
"chai-exclude": "2.1.0",
"chai-json-schema": "1.5.1",
"chai-json-schema-ajv": "5.2.4",
"chai-match-pattern": "1.3.0",
"chai-string": "1.5.0",
"chalk": "4.1.2",
"commander": "11.1.0",
"cross-spawn": "7.0.3",
"css-to-xpath": "0.1.0",
"csstoxpath": "1.6.0",
"devtools": "8.29.1",
"envinfo": "7.11.0",
"escape-string-regexp": "4.0.0",
"figures": "3.2.0",
"fn-args": "4.0.0",
"fs-extra": "11.2.0",
"glob": "6.0.1",
"html-minifier-terser": "7.2.0",
"inquirer": "6.5.2",
"js-beautify": "1.14.11",
"lodash.clonedeep": "4.5.0",
"lodash.merge": "4.6.2",
"mkdirp": "1.0.4",
"mocha": "10.2.0",
"ms": "2.1.3",
"openai": "3.2.1", // <== package with vulnerability
"ora-classic": "5.4.2",
"pactum": "3.6.0",
"parse-function": "5.6.10",
"parse5": "7.1.2",
"promise-retry": "1.1.1",
"resq": "1.11.0",
"sprintf-js": "1.1.1",
"uuid": "9.0"
},
"bin": {
"codeceptjs": "bin/codecept.js"
},
"engines": {
"node": ">=16.0",
"npm": ">=5.6.0"
},
"optionalDependencies": {
"@codeceptjs/detox-helper": "1.0.2"
}
},
=====================================
"node_modules/codeceptjs/node_modules/openai": {
"version": "3.2.1",
"resolved": "https://registry.npmjs.org/openai/-/openai-3.2.1.tgz",
"integrity": "sha512-762C9BNlJPbjjlWZi4WYK9iM2tAVAv0uUp1UmI34vb0CN5T2mjB/qM6RYBmNKMh/dN9fC+bxqPwWJZUTWW052A==",
"dev": true,
"dependencies": {
"axios": "^0.26.0", // <== axios version with vulnerability
"form-data": "^4.0.0"
}
},
=====================================
"node_modules/codeceptjs/node_modules/openai/node_modules/axios": {
"version": "0.26.1", // <== axios version with vulnerability
"resolved": "https://registry.npmjs.org/axios/-/axios-0.26.1.tgz",
"integrity": "sha512-fPwcX4EvnSHuInCMItEhAGnaSEXRBjtzh9fOtsE6E1G6p7vl7edEeZe11QHf18+6+9gR5PbKV/sGKNaD8YaMeA==",
"dev": true,
"dependencies": {
"follow-redirects": "^1.14.8"
}
},
Other comments:
- Issue was previously reported here on 13 Nov 2023 - #4000
- Issue was closed on 3 Dec 2023, but vulnerability has not been fixed as the root issue (of using an outdated openai package) has not been resolved
- Would require the team to update the openai dependency package to a later version (I have checked and the latest version 4.28.0 has replaced axios with node-fetch, which would solve the problem).
Fixed in 3.6.x
openai removed