Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm audit fails with security vulnerability in axios dependency #746

Open
Walfisch opened this issue Nov 10, 2021 · 2 comments
Open

npm audit fails with security vulnerability in axios dependency #746

Walfisch opened this issue Nov 10, 2021 · 2 comments

Comments

@Walfisch
Copy link

ACTUAL BEHAVIOR

npm audit fails with security vulnerability in axios dependency

STEPS TO REPRODUCE

$ npm i -S @inplayer-org/inplayer.js@3.12.0
npm WARN deprecated fingerprintjs2@2.1.4: Package has been renamed to @fingerprintjs/fingerprintjs. Install @fingerprintjs/fingerprintjs to get updates.
npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410

added 69 packages, and audited 70 packages in 8s

12 packages are looking for funding
  run `npm fund` for details

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
$ npm audit
# npm audit report

axios  <=0.21.1
Severity: high
Incorrect Comparison in axios - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Server-Side Request Forgery in Axios - https://github.com/advisories/GHSA-4w2v-q235-vp99
fix available via `npm audit fix --force`
Will install @inplayer-org/inplayer.js@2.13.9, which is a breaking change
node_modules/axios
  @inplayer-org/inplayer.js  >=3.0.0-beta.0
  Depends on vulnerable versions of axios
  node_modules/@inplayer-org/inplayer.js

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
@Walfisch
Copy link
Author

This is still true for 3.12.4

$ npm audit
# npm audit report

axios  <=0.21.1
Severity: high
Incorrect Comparison in axios - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Server-Side Request Forgery in Axios - https://github.com/advisories/GHSA-4w2v-q235-vp99
Depends on vulnerable versions of follow-redirects
fix available via `npm audit fix --force`
Will install @inplayer-org/inplayer.js@2.13.9, which is a breaking change
node_modules/axios
  @inplayer-org/inplayer.js  >=0.3.22
  Depends on vulnerable versions of aws-iot-device-sdk
  Depends on vulnerable versions of axios
  node_modules/@inplayer-org/inplayer.js

follow-redirects  <=1.14.7
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via `npm audit fix --force`
Will install @inplayer-org/inplayer.js@2.13.9, which is a breaking change
node_modules/follow-redirects
  axios  <=0.21.1
  Depends on vulnerable versions of follow-redirects
  node_modules/axios
    @inplayer-org/inplayer.js  >=0.3.22
    Depends on vulnerable versions of aws-iot-device-sdk
    Depends on vulnerable versions of axios
    node_modules/@inplayer-org/inplayer.js

minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install @inplayer-org/inplayer.js@2.13.9, which is a breaking change
node_modules/minimist
  aws-iot-device-sdk  *
  Depends on vulnerable versions of minimist
  node_modules/aws-iot-device-sdk
    @inplayer-org/inplayer.js  >=0.3.22
    Depends on vulnerable versions of aws-iot-device-sdk
    Depends on vulnerable versions of axios
    node_modules/@inplayer-org/inplayer.js

5 high severity vulnerabilities

@Walfisch
Copy link
Author

This is still true for 3.12.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant