You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Jovo should install without security vulnerabilities.
Current Behavior
Axios has a vulnerability that is fixed in 0.21.1, whereas jovo-core uses ^0.19.0. Since Axios is still below version 1.0 it seems the minor version is a breaking change and must be updated manually by dependent packages, as there is no fix for the vulnerability in the 0.19.x branch.
npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Server-Side Request Forgery
Package axios
Patched in >=0.21.1
Dependency of jovo-db-filedb
Path jovo-db-filedb > jovo-core > axios
More info https://npmjs.com/advisories/1594
High Server-Side Request Forgery
Package axios
Patched in >=0.21.1
Dependency of jovo-framework
Path jovo-framework > jovo-db-filedb > jovo-core > axios
More info https://npmjs.com/advisories/1594
High Server-Side Request Forgery
Package axios
Patched in >=0.21.1
Dependency of jovo-framework
Path jovo-framework > jovo-core > axios
More info https://npmjs.com/advisories/1594
High Server-Side Request Forgery
Package axios
Patched in >=0.21.1
Dependency of jovo-platform-alexa
Path jovo-platform-alexa > jovo-core > axios
More info https://npmjs.com/advisories/1594
High Server-Side Request Forgery
Package axios
Patched in >=0.21.1
Dependency of jovo-platform-googleassistant
Path jovo-platform-googleassistant > jovo-core > axios
More info https://npmjs.com/advisories/1594
High Server-Side Request Forgery
Package axios
Patched in >=0.21.1
Dependency of jovo-platform-googleassistant
Path jovo-platform-googleassistant > jovo-platform-dialogflow >
jovo-core > axios
More info https://npmjs.com/advisories/1594
High Server-Side Request Forgery
Package axios
Patched in >=0.21.1
Dependency of jovo-plugin-debugger
Path jovo-plugin-debugger > jovo-core > axios
More info https://npmjs.com/advisories/1594
found 7 high severity vulnerabilities in 915 scanned packages
Your Environment
Jovo Framework version used: 3.3.0
Operating System: Alpine Linux container, MacOS
The text was updated successfully, but these errors were encountered:
I'm submitting a...
Expected Behavior
Jovo should install without security vulnerabilities.
Current Behavior
Axios has a vulnerability that is fixed in 0.21.1, whereas jovo-core uses ^0.19.0. Since Axios is still below version 1.0 it seems the minor version is a breaking change and must be updated manually by dependent packages, as there is no fix for the vulnerability in the 0.19.x branch.
Note that the vulnerability is related to Axios's proxy implementation, which is not used in Jovo, so I don't see how Jovo would actually be exploitable.
Error log
Your Environment
The text was updated successfully, but these errors were encountered: