CLOUD SDK JS 1.0 - risk assessment for vulnerability (medium) in axios-0.19.2.tgz

[AnnaDez]

Dear Colleagues,

we are from ERP for SME and are building one of the consumer applications of the Cloud SDK JS (Using "@sap-cloud-sdk/core": "^1.30.0") component
and the WhiteSource scan result for our BAF core component (package.json) shows a vulnerability in axios-0.19.2.tgz
(Path: https://saas.whitesourcesoftware.com/Wss/WSS.html#!libraryVulnerabilities;uuid=811031a9-bfee-44c0-bd1f-1aec280d4bed;project=2366016;orgToken=74cbbb27-f32c-474e-bb6b-d99fbffddee4).

Could you do us a small favor by writing my a short feedback when the risk assessment (hopefully false positive ;) ) for this vulnerability will be done or providing further details? (currently we will continue to use the 1.30.0 version of the component)

Thanks!
Best,
Anna

[FrankEssenberger]

Hi Anna,

thanks for opening an issue. We use the following version of axios in our package.json:

    "axios": "^0.21.0"

The modifier ^ means that minor and path versions are automatically increased if available when you do a fresh npm i. So once the axios fixed the issue and released a new version the error will disappear. You can have a look at this issue:

axios/axios#3410

So once they release 0.21.1 the error will be fixed I think.

[FrankEssenberger]

So I would close the issue here because the fix from axios is already on the way.

[jjtang1985]

#890