Upgrade axios to >=0.21.1 to fix high vulnerability

Question

Upgrade axios to >=0.21.1 to fix high vulnerability

liyuting1010 opened this issue 4 years ago · comments

Hi,
could we ask to update the axios version to avoid the SSRF vulnerability?

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ analytics-node                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ analytics-node > axios                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Kyle Peeler · Answer 1 · Wed Jan 06 2021 02:51:29 GMT+0800 (China Standard Time)

Please fix 🙏

Steven Black · Answer 2 · Wed Jan 06 2021 04:52:34 GMT+0800 (China Standard Time)

@pooyaj Are you able to escalate this fix?

Patrick Bassut · Answer 3 · Wed Jan 06 2021 07:20:46 GMT+0800 (China Standard Time)

Thanks for raising the issue. We're looking into it and we'll merge it ASAP

Pooya Jaferian · Answer 4 · Wed Jan 06 2021 09:11:29 GMT+0800 (China Standard Time)

Thanks everyone for flagging this. The 3.5.0 should have the fix!