Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Current delivery SDK release has high priority vulnerability with Axios #43

Closed
kevin-mitchell opened this issue Apr 26, 2021 · 2 comments
Closed

Current delivery SDK release has high priority vulnerability with Axios #43

kevin-mitchell opened this issue Apr 26, 2021 · 2 comments

Comments

@kevin-mitchell
Copy link

Description

When installing dc-delivery-sdk-js via npm install, there is a high severity vulnerability reported.

Steps to Reproduce

There are of course many ways to do this, but from "scratch":

mkdir example && cd example && npm init --yes && npm install dc-delivery-sdk-js --save

Expected Results

Install dependencies without any reported high severity vulnerabilities

Actual Results

npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN example@1.0.0 No description
npm WARN example@1.0.0 No repository field.

+ dc-delivery-sdk-js@0.9.0
added 5 packages from 7 contributors and audited 5 packages in 1.025s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Affected browsers/environments

I believe anything using this package.

Versions

"dependencies": {
    "dc-delivery-sdk-js": "^0.9.0"
  }

Other information

It looks like there is an approved PR from dependabot here: #29 that has this bump, it looks like it was approved on January 5th but not merged. I obviously no no insight into why something may or may not be merged, but I'd like to be able to use this package in places where there are strict requirements that there no be no high priority vulnerabilities. We could resolve our own version of Axios, etc, but ultimately we want to make sure we're using officially supported libraries / the SDK.
@easen-amp
Copy link
Member

Hi @kevin-mitchell,

Reading the upstream issue (axios/axios#3369) I don’t believe we are impacted, this vulnerability is related to the Axios proxy feature, our SDK doesn't allow you to specify a proxy.

Are you able to supply a code example that demonstrates that we are directly impacted by this issue?

Regarding #29, any change to our SDK needs to be approved by our internal QA team before it can be released, so even though our unit tests pass, etc. it still requires an QA approval.

I cannot give any estimates to when this will be done at the current time.

@easen-amp
Copy link
Member

Version bump has been released #48 v0.9.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kevin-mitchell @easen-amp