Axios vulnerability #142
Description
Version 0.6.0 introduces an axios vulnerability:
# npm audit report
axios 1.0.0 - 1.8.1
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
fix available via `npm audit fix --force`
Will install @google-cloud/synthetics-sdk-api@0.5.1, which is a breaking change
node_modules/@google-cloud/synthetics-sdk-api/node_modules/axios
@google-cloud/synthetics-sdk-api >=0.6.0
Depends on vulnerable versions of axios
node_modules/@google-cloud/synthetics-sdk-api
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
❯ npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating @google-cloud/synthetics-sdk-api to 0.5.1, which is a SemVer major change.
removed 1 package, changed 1 package, and audited 538 packages in 1s
40 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
here is the extract from my package-lock.json:
{
"node_modules/@google-cloud/synthetics-sdk-api": {
"version": "0.6.0",
"resolved": "https://registry.npmjs.org/@google-cloud/synthetics-sdk-api/-/synthetics-sdk-api-0.6.0.tgz",
"integrity": "sha512-dRS3x7NAYUdET6SQ6+scu3eUGUtgH2PAY8Zx+0DDvB7Zo5ymVIP1b0hbAkLLDZzg9wNQFSDAh59A0lEuU3Zpyw==",
"license": "Apache-2.0",
"dependencies": {
"@google-cloud/opentelemetry-cloud-trace-exporter": "2.1.0",
"@opentelemetry/api": "1.6.0",
"@opentelemetry/auto-instrumentations-node": "0.39.2",
"@opentelemetry/instrumentation": "0.43.0",
"@opentelemetry/sdk-node": "0.43.0",
"@opentelemetry/sdk-trace-base": "1.17.0",
"@opentelemetry/sdk-trace-node": "1.17.0",
"axios": "1.6.7",
"error-stack-parser": "2.1.4",
"google-auth-library": "9.0.0",
"ts-proto": "1.148.1",
"winston": "3.10.0"
}
}
}