Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Axios (#632) #633

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Upgrade Axios (#632) #633

wants to merge 1 commit into from

Conversation

strangelookingnerd
Copy link

Fixes #632

Axios has recently patched a critical vulnerability affecting version >= 0.8.1, < 1.6.0

@strangelookingnerd
Copy link
Author

Ping @TheBoroer

Would you be able to look into this any time soon?

@Parking-Master
Copy link

@strangelookingnerd oh man I hope @TheBoroer will merge this. Nobody wants any issues with localtunnel.

@jase88 jase88 mentioned this pull request Dec 4, 2023
Closed
1 task
@Parking-Master
Copy link

@TheBoroer please merge this!

@classicmike classicmike mentioned this pull request Dec 13, 2023
Closed
10 tasks
@Bayheck Bayheck mentioned this pull request Dec 21, 2023
Merged
@Parking-Master
Copy link

Since he's not responding, I'm just going to throw this out there: If you're worried about the security in your app and you're using localtunnel, you can upgrade it manually. Just run:

npm install axios --save

And you should be good to go.

@sawilde
Copy link

sawilde commented Dec 29, 2023

I gave up waiting so I forked, patched, and published my own version to npm (https://www.npmjs.com/package/@security-patched/localtunnel)

browser-sync have also just recently dropped localtunnel as a dependency because of this issue.

@timothyPatterson timothyPatterson mentioned this pull request Jan 3, 2024
Closed
@sgutkin
Copy link

sgutkin commented Jan 16, 2024

+1
It would be nice to have this PR approved. Currently, Angular 17 ("@angular-devkit/build-angular": "^17.0.10") has a dependency on this library which in turn has a dependency on Axios. The npm audit reports a moderate severity vulnerability. Actual risk seems low since it's within the devDependencies; however, the error messages trigger security audits at large companies.
: (

@AwesomeKalin
Copy link

The reason this sadly isn't being merged is because @TheBoroer doesn't have edit perms on this repo, neither to npm

@servoo
Copy link

servoo commented Feb 14, 2024

Still waiting for the PR to be approved so we can migrate to Angular 17..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Critical vulnerability in the Axios version used by localtunnel
6 participants
@strangelookingnerd @Parking-Master @sawilde @sgutkin @AwesomeKalin @servoo