[Question] Vulnerability Handling for Axios packages

[alexlianides]

Currently openapi-generator-cli's package.json has the following minimum versions set for axios packages:

"@nestjs/axios": "^4.0.0",
"axios": "^1.8.4",

https://github.com/OpenAPITools/openapi-generator-cli/blob/9be75d760ce8bd2b1dec103dbf65132f898a6a44/package.json#L82C4-L87C23

However, form-data 4.0.3 has security vulnerabilities and is a child dependency of the axios package, which itself is a child dependency of nestjs/axios.

axios and nestjs/axios resolved these issues by upgrading their packages in the following recent releases:

• axios v1.11.0: https://github.com/axios/axios/releases/tag/v1.11.0
• @nestjs/axios takes the axios 1.11.0 package (https://github.com/nestjs/axios/blob/master/package.json)

Can the minimum versions for openapi-generator-cli be updated to the following versions to remove the security vulnerability?

"@nestjs/axios": "^4.0.1",
"axios": "^1.11.0",

[wing328]

please file a PR with the suggested change and we will review accordingly

[wing328]

i merged #975

which updated form-data to newer version 4.0.4

can you please have a look to see if the issue is still there?

[alexlianides]

Apologies for the delay in response. Package took a while to upload to private registry.

The security issue regarding form-data has been resolved with the release of 2.23.1

[wing328]

no need to sorry

thanks for testing the latest release to confirm the issue has been resolved.