Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update axios to 0.21.1 #887

Closed
1 of 4 tasks
dnotes opened this issue Jan 26, 2021 · 2 comments
Closed
1 of 4 tasks

Update axios to 0.21.1 #887

dnotes opened this issue Jan 26, 2021 · 2 comments

Comments

@dnotes
Copy link

dnotes commented Jan 26, 2021

I'm submitting a...

  • Bug report
  • Feature request
  • Documentation issue or request
  • Other... Please describe:

Expected Behavior

Jovo should install without security vulnerabilities.

Current Behavior

Axios has a vulnerability that is fixed in 0.21.1, whereas jovo-core uses ^0.19.0. Since Axios is still below version 1.0 it seems the minor version is a breaking change and must be updated manually by dependent packages, as there is no fix for the vulnerability in the 0.19.x branch.

Note that the vulnerability is related to Axios's proxy implementation, which is not used in Jovo, so I don't see how Jovo would actually be exploitable.

Error log

npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  High            Server-Side Request Forgery                                   
                                                                                
  Package         axios                                                         
                                                                                
  Patched in      >=0.21.1                                                      
                                                                                
  Dependency of   jovo-db-filedb                                                
                                                                                
  Path            jovo-db-filedb > jovo-core > axios                            
                                                                                
  More info       https://npmjs.com/advisories/1594                             
                                                                                
                                                                                
  High            Server-Side Request Forgery                                   
                                                                                
  Package         axios                                                         
                                                                                
  Patched in      >=0.21.1                                                      
                                                                                
  Dependency of   jovo-framework                                                
                                                                                
  Path            jovo-framework > jovo-db-filedb > jovo-core > axios           
                                                                                
  More info       https://npmjs.com/advisories/1594                             
                                                                                
                                                                                
  High            Server-Side Request Forgery                                   
                                                                                
  Package         axios                                                         
                                                                                
  Patched in      >=0.21.1                                                      
                                                                                
  Dependency of   jovo-framework                                                
                                                                                
  Path            jovo-framework > jovo-core > axios                            
                                                                                
  More info       https://npmjs.com/advisories/1594                             
                                                                                
                                                                                
  High            Server-Side Request Forgery                                   
                                                                                
  Package         axios                                                         
                                                                                
  Patched in      >=0.21.1                                                      
                                                                                
  Dependency of   jovo-platform-alexa                                           
                                                                                
  Path            jovo-platform-alexa > jovo-core > axios                       
                                                                                
  More info       https://npmjs.com/advisories/1594                             
                                                                                
                                                                                
  High            Server-Side Request Forgery                                   
                                                                                
  Package         axios                                                         
                                                                                
  Patched in      >=0.21.1                                                      
                                                                                
  Dependency of   jovo-platform-googleassistant                                 
                                                                                
  Path            jovo-platform-googleassistant > jovo-core > axios             
                                                                                
  More info       https://npmjs.com/advisories/1594                             
                                                                                
                                                                                
  High            Server-Side Request Forgery                                   
                                                                                
  Package         axios                                                         
                                                                                
  Patched in      >=0.21.1                                                      
                                                                                
  Dependency of   jovo-platform-googleassistant                                 
                                                                                
  Path            jovo-platform-googleassistant > jovo-platform-dialogflow >    
                  jovo-core > axios                                             
                                                                                
  More info       https://npmjs.com/advisories/1594                             
                                                                                
                                                                                
  High            Server-Side Request Forgery                                   
                                                                                
  Package         axios                                                         
                                                                                
  Patched in      >=0.21.1                                                      
                                                                                
  Dependency of   jovo-plugin-debugger                                          
                                                                                
  Path            jovo-plugin-debugger > jovo-core > axios                      
                                                                                
  More info       https://npmjs.com/advisories/1594                             
                                                                                
found 7 high severity vulnerabilities in 915 scanned packages

Your Environment

  • Jovo Framework version used: 3.3.0
  • Operating System: Alpine Linux container, MacOS
@aswetlow
Copy link
Member

Thanks @dnotes
Will be updated in the next release.

aswetlow added a commit that referenced this issue Jan 28, 2021
@aswetlow
⬆️Upgrade vulnerable axios version #887
08fdad9
@aswetlow
Copy link
Member

aswetlow commented Feb 5, 2021

Fixed and published (v3.4.0)

@aswetlow aswetlow closed this as completed Feb 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dnotes @aswetlow