Still using old 0.21.1 axios version

Question

Still using old 0.21.1 axios version

ryanmr opened this issue 3 years ago · comments

I'm submitting a...


[ ] Regression 
[x] Bug report
[ ] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Current behavior

This package locks on "axios": "0.21.1", while there are open CVEs for below 0.21.4.

Expected behavior

Either using latest, using axios as a peer dependency or upgrading to the latest non-vuln version.

Minimal reproduction of the problem with instructions

https://snyk.io/vuln/SNYK-JS-AXIOS-1579269

What is the motivation / use case for changing the behavior?

Environment


Nest version: X.Y.Z

 
this issue occurs with the latest version of this package at 0.0.1

For Tooling issues:
- Node version: XX  
- Platform:  

Others:

Upgrading from an older nest 7 to nest 8 system, I saw HttpModule was deprecated and followed the update instructions. But this package is below 1.0 and is using a locked dep too.

Daniel Parker · Answer 1 · Fri Sep 17 2021 01:07:00 GMT+0800 (China Standard Time)

I know a couple of PRs have been opened already to bump the version up to 0.21.4 but I've submitted an alternative PR which does that and also loosens up the semver notation ^0.21.4 to allow for any future versions to satisfy this package's axios dependency. #149

David Knell · Answer 2 · Fri Sep 17 2021 03:56:11 GMT+0800 (China Standard Time)

Can we get this resolved (with #149) ASAP. This is critical for companies that need to stay within compliance in Snyk.

Răzvan Bordeanu · Answer 3 · Wed Sep 22 2021 06:55:16 GMT+0800 (China Standard Time)

Any news about this? It's quite a blocker for a more than a week.

Feling · Answer 4 · Wed Sep 22 2021 18:09:58 GMT+0800 (China Standard Time)

Any updates? its super critical...

Kamil Mysliwiec · Answer 5 · Wed Sep 22 2021 18:14:42 GMT+0800 (China Standard Time)

Tracking this here #145