Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Axios CVE #337

Closed
tiptenbrink opened this issue Nov 27, 2023 · 2 comments · Fixed by #338
Closed

Axios CVE #337

tiptenbrink opened this issue Nov 27, 2023 · 2 comments · Fixed by #338

Comments

@tiptenbrink
Copy link

Hi,

Currently Mollie relies on axios ^0.27.2. This means any version 0.28 and beyond (including 1.0+ versions) don't satisfy this requirement. Recently, a CVE was published for axios versions <1.6.0 (see GHSA-wf5p-g6vw-rhxx). It would be great if 1.6.0 would at least be included as a supported version (by e.g. changing the depenency to >=0.27.2, <1.7.0 or <2.0.0 or similar.

I can maybe make a PR if that is desired.
@Nickk4
Copy link

Nickk4 commented Nov 30, 2023

I second the need for upgrading the axios dependency. Even though the vulnerability doesn't apply to the way mollie uses the dependency, it takes away time from every developer having to research whether mollie is affected or not.

@janpaepke janpaepke mentioned this issue Dec 13, 2023
Merged
@janpaepke
Copy link
Contributor

The new major version has been released (as a beta for now).

to install use this:

npm install @mollie/api-client@beta

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

On Hold: Update Axios to latest version: 1.6.2 janpaepke/mollie-api-node
3 participants
@janpaepke @Nickk4 @tiptenbrink