Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Component Governance fails due to axios@0.20.0 #6702

Closed
jonthysell opened this issue Dec 7, 2020 · 3 comments · Fixed by #6810
Closed

Component Governance fails due to axios@0.20.0 #6702

jonthysell opened this issue Dec 7, 2020 · 3 comments · Fixed by #6810
Assignees
@jonthysell
Labels
bug security Pull requests that address a security vulnerability
Milestone
0.65

Comments

@jonthysell
Copy link
Contributor

CVE-2020-28168

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a
proxy by providing a URL that responds with a redirect to a restricted host or IP address.

yarn why axios
yarn why v1.22.5
[1/4] Why do we have the module "axios"...?
[2/4] Initialising dependency graph...
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.2"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.2.0"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^5.0.0"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.2"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.2"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.2"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^4.0.0"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.3"
warning Resolution field "appium-android-driver@4.12.0-stub.0" is incompatible with requested version "appium-android-driver@^4.0.0"
warning Resolution field "appium-selendroid-driver@1.13.4-stub.0" is incompatible with requested version "appium-selendroid-driver@1.x"
warning Resolution field "appium-android-driver@4.12.0-stub.0" is incompatible with requested version "appium-android-driver@^4.12.0"
warning Resolution field "appium-android-driver@4.12.0-stub.0" is incompatible with requested version "appium-android-driver@^4.10.0"
warning Resolution field "appium-android-driver@4.12.0-stub.0" is incompatible with requested version "appium-android-driver@^4.0.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "axios@0.20.0"
info Reasons this module exists
   - "_project_#appium-base-driver#appium-support" depends on it
   - Hoisted from "_project_#appium-base-driver#appium-support#axios"
info Disk size without dependencies: "476KB"
info Disk size with unique dependencies: "520KB"
info Disk size with transitive dependencies: "520KB"
info Number of shared dependencies: 1
Done in 1.17s.
@jonthysell jonthysell added bug security Pull requests that address a security vulnerability labels Dec 7, 2020
@ghost ghost added the Needs: Triage 🔍 New issue that needs to be reviewed by the issue management team (label applied by bot) label Dec 7, 2020
@chrisglein chrisglein added this to the 0.65 milestone Dec 11, 2020
@chrisglein chrisglein removed the Needs: Triage 🔍 New issue that needs to be reviewed by the issue management team (label applied by bot) label Dec 11, 2020
@jonthysell
Copy link
Contributor Author

As per axios/axios#3410, fix set to be released in axios@0.21.1.

@TheOccho
Copy link

TheOccho commented Dec 17, 2020
edited

@jonthysell is there an ETA on when axios@0.21.1 will be released?

@jonthysell
Copy link
Contributor Author

It looks like appium-support updated to axios@0.21.1 in their master (appium/appium-support#211), but have not pushed a release requiring it. I'll put in a resolution.

jonthysell added a commit to jonthysell/react-native-windows that referenced this issue Jan 4, 2021
@jonthysell
Add resolution for axios@^0.21.1 to pass CG
b513e6a 
Closes microsoft#6702
@jonthysell jonthysell mentioned this issue Jan 4, 2021
Merged
jonthysell added a commit that referenced this issue Jan 4, 2021
@jonthysell
Add resolution for axios@^0.21.1 to pass CG (#6810)
a69ae29 
Appium support brings in axios. Appium support has updated to ^0.21.1 in their master, but have not published the fix.

We can remove this resolution if we remove Appium.

Closes #6702
jonthysell added a commit to jonthysell/react-native-windows that referenced this issue Jan 4, 2021
@jonthysell
Add resolution for axios@^0.21.1 to pass CG (microsoft#6810)
3701cae 
Appium support brings in axios. Appium support has updated to ^0.21.1 in their master, but have not published the fix.

We can remove this resolution if we remove Appium.

Closes microsoft#6702
@jonthysell jonthysell mentioned this issue Jan 4, 2021
Merged
jonthysell added a commit that referenced this issue Jan 4, 2021
@jonthysell
[0.64] Add resolution for axios@^0.21.1 to pass CG (#6810) (#6813)
9ae0c1e 
Backporting #6810 to 0.64.

Appium support brings in axios. Appium support has updated to ^0.21.1 in their master, but have not published the fix.

We can remove this resolution if we remove Appium.

Closes #6702
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonthysell jonthysell

Labels
bug security Pull requests that address a security vulnerability
Projects
None yet
Milestone
0.65
Development

Successfully merging a pull request may close this issue.

Add resolution for axios@^0.21.1 to pass CG jonthysell/react-native-windows
3 participants
@TheOccho @jonthysell @chrisglein