Skip to content

Axios vulnerability #142

Description

@paulwoelfel

Version 0.6.0 introduces an axios vulnerability:

# npm audit report

axios  1.0.0 - 1.8.1
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
fix available via `npm audit fix --force`
Will install @google-cloud/synthetics-sdk-api@0.5.1, which is a breaking change
node_modules/@google-cloud/synthetics-sdk-api/node_modules/axios
  @google-cloud/synthetics-sdk-api  >=0.6.0
  Depends on vulnerable versions of axios
  node_modules/@google-cloud/synthetics-sdk-api

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
❯ npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating @google-cloud/synthetics-sdk-api to 0.5.1, which is a SemVer major change.

removed 1 package, changed 1 package, and audited 538 packages in 1s

40 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

here is the extract from my package-lock.json:

{
 "node_modules/@google-cloud/synthetics-sdk-api": {
      "version": "0.6.0",
      "resolved": "https://registry.npmjs.org/@google-cloud/synthetics-sdk-api/-/synthetics-sdk-api-0.6.0.tgz",
      "integrity": "sha512-dRS3x7NAYUdET6SQ6+scu3eUGUtgH2PAY8Zx+0DDvB7Zo5ymVIP1b0hbAkLLDZzg9wNQFSDAh59A0lEuU3Zpyw==",
      "license": "Apache-2.0",
      "dependencies": {
        "@google-cloud/opentelemetry-cloud-trace-exporter": "2.1.0",
        "@opentelemetry/api": "1.6.0",
        "@opentelemetry/auto-instrumentations-node": "0.39.2",
        "@opentelemetry/instrumentation": "0.43.0",
        "@opentelemetry/sdk-node": "0.43.0",
        "@opentelemetry/sdk-trace-base": "1.17.0",
        "@opentelemetry/sdk-trace-node": "1.17.0",
        "axios": "1.6.7",
        "error-stack-parser": "2.1.4",
        "google-auth-library": "9.0.0",
        "ts-proto": "1.148.1",
        "winston": "3.10.0"
      }
    }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions