Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump axios to 1.7.4 to resolve vulnerability #567

Closed
aBurmeseDev opened this issue Aug 13, 2024 · 1 comment
Closed

Bump axios to 1.7.4 to resolve vulnerability #567

aBurmeseDev opened this issue Aug 13, 2024 · 1 comment
Labels
bug This issue is a bug. p1 This is a high priority issue pending-release This issue will be fixed by an approved PR that hasn't been released yet.

Comments

@aBurmeseDev
Copy link
Member

aBurmeseDev commented Aug 13, 2024
edited
Loading

Describe the bug

AWS SDK JavaScript team received a report for vulnerability in axios library which is a dependency of aws-crt, which in turn is a dependency of some SDK client packages.

Reported in aws-sdk-js-v3: aws/aws-sdk-js-v3#6381
Affected axios versions: >= 1.3.2, <= 1.7.3
Current version used in CRT: ^1.7.2

Expected Behavior

No vulnerabilities!

Current Behavior

axios  >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios
  aws-crt  >=1.19.0
  Depends on vulnerable versions of axios
  node_modules/aws-crt

2 high severity vulnerabilities

Reproduction Steps

npm install @aws-sdk/client-dynamodb

npm audit

npm ls axios

├─┬ @aws-sdk/[email protected]
│ └─┬ @aws-sdk/[email protected]
│   └─┬ [email protected]
│     └── [email protected]

Possible Solution

Consider bumping axios to ^1.7.4

Additional Information/Context

No response

aws-crt-nodejs version used

latest

nodejs version used

20

Operating System and version

macOS
@aBurmeseDev aBurmeseDev added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 13, 2024
@jmklix jmklix mentioned this issue Aug 13, 2024
Closed
@jmklix jmklix linked a pull request Aug 13, 2024 that will close this issue
bump axios version #568
Closed
@jmklix jmklix added pending-release This issue will be fixed by an approved PR that hasn't been released yet. p1 This is a high priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Aug 13, 2024
@jmklix
Copy link
Member

jmklix commented Aug 16, 2024

Fixed with this PR: #571

@jmklix jmklix closed this as completed Aug 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. p1 This is a high priority issue pending-release This issue will be fixed by an approved PR that hasn't been released yet.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bump axios version awslabs/aws-crt-nodejs
2 participants
@jmklix @aBurmeseDev