[Snyk] Fix for 1 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	718/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 235 commits.

• a64050a Releasing 0.21.1
• d57cd97 Updating changelog for 0.21.1 release
• 8b0f373 Use different socket for Win32 test (#3375)
• e426910 Protocol not parsed when setting proxy config from env vars (#3070)
• c7329fe Hotfix: Prevent SSRF (#3410)
• f472e5d Adding a type guard for `AxiosError` (#2949)
• 7688255 Remove the skipping of the `socket` http test (#3364)
• 820fe6e Updating axios in types to be lower case (#2797)
• 94ca24b Releasing 0.21.0
• 2130a0c Updating changelog for 0.21.0 release
• fbdc150 Lock travis to not use node v15 (#3361)
• 3a8b87d Fixing an issue that type 'null' and 'undefined' is not assignable to validateStatus when typescript strict option is enabled (#3200)
• 9a78465 Revert "Fixing overwrite Blob/File type as Content-Type in browser. (#1773)" (#3289)
• 6d05b96 Fix typos (#3309)
• fa36737 fix axios.delete ignores config.data (#3282)
• b7e954e Fixing node types (#3237)
• 04d45f2 Fixing requestHeaders.Authorization (#3287)
• e8c6e19 docs: Fix simple typo, existant -> existent (#3252)
• 0d87655 Releasing 0.20.0
• cd27741 Updating changelog for 0.20.0 release
• ffea034 Releasing 0.20.0-0
• fe147fb Updating changlog for 0.20.0 beta release
• 16aa2ce Fixing response with utf-8 BOM can not parse to json (#2419)
• c4300a8 Adding support for URLSearchParams in node (#1900)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@azure/abort-controller@1.1.0	None	+1	149 kB	azure-sdk
npm/@azure/core-amqp@1.1.7	network Transitive: environment, eval, filesystem	+47	4.88 MB	azure-sdk
npm/@azure/core-asynciterator-polyfill@1.0.2	None	0	6.51 kB	azure-sdk
npm/@azure/core-auth@1.7.0	None	+2	420 kB	azure-sdk
npm/@azure/core-client@1.9.0	Transitive: environment, network	+11	4.32 MB	azure-sdk
npm/@azure/core-rest-pipeline@1.15.0	environment, network	+9	2.62 MB	azure-sdk
npm/@azure/core-tracing@1.0.0-preview.7	None	+3	372 kB	azure-sdk
npm/@azure/core-util@1.8.0	None	0	237 kB	azure-sdk
npm/@azure/event-hubs@5.0.0	Transitive: environment, eval, filesystem, network, shell	+130	20.6 MB	azure-sdk
npm/@azure/identity@1.5.2	environment, filesystem, network, shell Transitive: eval	+98	15.6 MB	azure-sdk
npm/@azure/logger@1.1.0	environment	0	124 kB	azure-sdk
npm/@azure/msal-common@4.5.1	None	0	1.92 MB	azuread
npm/@azure/msal-node@1.0.0-beta.6	environment, eval Transitive: network	+18	3.52 MB	azuread
npm/@opencensus/web-types@0.0.7	None	0	103 kB	google-wombot
npm/@opentelemetry/api@1.8.0	None	0	1.21 MB	pichlermarc
npm/@opentelemetry/types@0.2.0	None	0	86.5 kB	mayurkale22
npm/@types/async-lock@1.4.2	None	0	7.46 kB	types
npm/@types/is-buffer@2.0.2	None	+1	596 kB	types
npm/@types/stoppable@1.1.3	None	+1	599 kB	types
npm/async-lock@1.4.1	None	0	18.3 kB	rogierschouten
npm/available-typed-arrays@1.0.7	None	+1	31.3 kB	ljharb
npm/axios@0.21.1	environment, network	+1	401 kB	emilyemorehouse
npm/buffer@5.7.1	None	+2	98 kB	feross
npm/call-bind@1.0.7	Transitive: eval	+11	225 kB	ljharb
npm/decompress-response@6.0.0	None	+1	11.5 kB	sindresorhus
npm/define-data-property@1.1.4	Transitive: eval	+8	177 kB	ljharb
npm/detect-libc@2.0.2	filesystem, shell	0	23.7 kB	lovell
npm/es-define-property@1.0.0	Transitive: eval	+6	139 kB	ljharb
npm/es-errors@1.3.0	None	0	12.3 kB	ljharb
npm/expand-template@2.0.3	None	0	5.41 kB	ralphtheninja
npm/follow-redirects@1.15.6	network	0	29.4 kB	rubenverborgh
npm/for-each@0.3.3	None	+1	42 kB	ljharb
npm/fs-constants@1.0.0	filesystem	0	2.22 kB	mafintosh
npm/function-bind@1.1.2	None	0	31.4 kB	ljharb
npm/get-intrinsic@1.2.4	eval	+5	127 kB	ljharb
npm/github-from-package@0.0.0	None	0	4.61 kB	substack
npm/gopd@1.0.1	Transitive: eval	+6	134 kB	ljharb
npm/has-property-descriptors@1.0.2	Transitive: eval	+7	149 kB	ljharb
npm/has-proto@1.0.3	None	0	12 kB	ljharb
npm/has-symbols@1.0.3	None	0	20.6 kB	ljharb
npm/has-tostringtag@1.0.2	None	+1	38.2 kB	ljharb
npm/hasown@2.0.2	None	+1	40.2 kB	ljharb
npm/is-arguments@1.1.1	Transitive: eval	+13	271 kB	ljharb
npm/is-callable@1.2.7	None	0	28.9 kB	ljharb
npm/is-docker@2.2.1	filesystem	0	3.01 kB	sindresorhus
npm/is-generator-function@1.0.10	eval	+2	70.1 kB	ljharb
npm/is-typed-array@1.1.13	Transitive: eval	+18	380 kB	ljharb
npm/jsonwebtoken@8.5.1	None	+14	293 kB	ziluvatar
npm/jssha@2.4.2	None	0	74.6 kB	caligatio
npm/keytar@7.9.0	Transitive: environment, filesystem, network, shell	+38	1.23 MB	shiftkey
npm/lodash.includes@4.3.0	None	0	21.9 kB	jdalton
npm/lodash.isboolean@3.0.3	None	0	4.27 kB	jdalton
npm/lodash.isinteger@4.0.4	None	0	9.21 kB	jdalton
npm/lodash.isnumber@3.0.3	None	0	4.47 kB	jdalton
npm/lodash.isplainobject@4.0.6	None	0	6.89 kB	jdalton
npm/lodash.isstring@4.0.1	None	0	4.75 kB	jdalton
npm/lodash.once@4.1.1	None	0	10.2 kB	jdalton
npm/mimic-response@3.1.0	None	0	6 kB	sindresorhus
npm/minimist@1.2.8	None	0	54.5 kB	ljharb
npm/mkdirp-classic@0.5.3	filesystem	0	4.5 kB	mafintosh
npm/msal@1.4.18	None	+1	3.05 MB	azuread
npm/napi-build-utils@1.0.2	None	0	15.5 kB	inspiredware
npm/node-abi@3.56.0	None	+3	140 kB	electron-cfa
npm/node-addon-api@4.3.0	None	0	384 kB	nicknaso
npm/object-inspect@1.13.1	None	0	97.2 kB	ljharb
npm/open@7.4.2	environment, filesystem, shell	+2	48.7 kB	sindresorhus
npm/possible-typed-array-names@1.0.0	None	0	10.9 kB	ljharb
npm/prebuild-install@7.1.2	environment, filesystem Transitive: network, shell	+36	797 kB	lovell
npm/rhea-promise@1.2.1	Transitive: environment, filesystem, network	+3	1.44 MB	ramya-rao-a
npm/rhea@1.0.24	environment, filesystem, network	+1	971 kB	grs
npm/set-function-length@1.2.2	Transitive: eval	+10	203 kB	ljharb
npm/side-channel@1.0.6	Transitive: eval	+13	345 kB	ljharb
npm/simple-concat@1.0.1	None	0	4.62 kB	feross
npm/simple-get@4.0.1	network	+5	38.1 kB	feross
npm/stoppable@1.1.0	network	0	7.09 kB	boneskull
npm/tar-fs@2.1.1	filesystem Transitive: environment	+16	399 kB	mafintosh
npm/tar-stream@2.2.0	filesystem Transitive: environment	+12	354 kB	mafintosh
npm/which-typed-array@1.1.15	Transitive: eval	+17	356 kB	ljharb

🚮 Removed packages: npm/@azure/amqp-common@1.0.0-preview.2, npm/@azure/event-hubs@2.0.0, npm/@azure/ms-rest-azure-env@1.1.2, npm/@azure/ms-rest-js@1.8.13, npm/@azure/ms-rest-nodeauth@0.9.3, npm/@types/is-buffer@2.0.0, npm/@types/tunnel@0.0.0, npm/async-lock@1.2.2, npm/axios@0.18.1, npm/follow-redirects@1.5.10, npm/form-data@2.5.1, npm/jssha@2.3.1, npm/minimist@1.2.0, npm/rhea-promise@0.1.15, npm/rhea@1.0.8, npm/sax@1.2.4, npm/tough-cookie@2.5.0, npm/tunnel@0.0.6, npm/xml2js@0.4.21, npm/xmlbuilder@13.0.2, npm/zone.js@0.7.6

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/keytar@7.9.0	Install script: install Source: prebuild-install || npm run build	package-lock.json

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/keytar@7.9.0