Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High severity vulnerability (axios) #1831

Closed
alexkuc opened this issue Jan 6, 2021 · 9 comments
Closed

High severity vulnerability (axios) #1831

alexkuc opened this issue Jan 6, 2021 · 9 comments

Comments

@alexkuc
Copy link

alexkuc commented Jan 6, 2021

Adding browser-sync as a dependency results in npm audit warning:

found 1 high severity vulnerability

Further details:


                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > localtunnel > axios                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 212 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Steps to reproduce:

  1. mkdir test && cd test
  2. npm init
  3. npm install -D browser-sync
  4. npm audit

It looks like localtunnel already has a GH issue on this: localtunnel/localtunnel#377

So I guess we need to wait for localtunnel to fix the issue and then bump dependency here?

Ps. in the past a similar issue has happened (#1695)
This was referenced Jan 6, 2021
Closed
Closed
This was referenced Jan 6, 2021
Open
Open
@matthewmascord
Copy link

What would the impact be of forcing the update of the Axios dependency from 0.19.0 to 0.21.1?

@alexkuc
Copy link
Author

alexkuc commented Jan 7, 2021

I didn't notice any breaking changes in the release log but it is possible that some of the browser-sync functionality might break as there were quite a few changes in axios

@ThewBear ThewBear mentioned this issue Jan 7, 2021
Closed
@victor73 victor73 mentioned this issue Jan 7, 2021
Closed
@williamfalconeruk williamfalconeruk mentioned this issue Jan 7, 2021
Merged
4 tasks
@englishextra
Copy link

I guess I will have to live with that since:

localtunnel/localtunnel#377 (comment)

@hiphopappotamus
Copy link

I ran into this problem too and couldn't get it resolved by updating axios or localtunnel, but what I ended up doing to solve it was updating nodejs to the latest stable release and then running npm update -g and making sure any local dependencies in my individual projects were up to date too (I use the npm-check-updates package for that).

Hopefully this method helps somebody...I'm still a little clueless when it comes to updating things from the git repositories so I usually end up going the full nodejs update route

@thomas-gordon
Copy link

If you uninstall then re-install the current version of browser-sync, the localtunnel dependency should update and then the vulnerability will disappear.

@mattwelke
Copy link

mattwelke commented Jan 11, 2021
edited
Loading

@thomas-gordon That worked for me. GitHub's automated security updates couldn't figure out how to make a PR for me since browser-sync's version didn't need to be updated. Uninstalling and re-installing browser-sync updated the localtunnel transitive dependency to 2.0.1 which updated the axios transitive dependency to 0.21.0, resolving the security issue.

Because there's no need to do anything to browser-sync to resolve this now, this issue should be closed.

@thomas-gordon
Copy link

Agreed, this can be closed.

@alexkuc
Copy link
Author

alexkuc commented Jan 11, 2021

LGTM:

mkdir test
cd test
npm init --yes --private
npm add --dev browser-sync
npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 203 scanned packages

So marking this as resolved.

@alexkuc alexkuc closed this as completed Jan 11, 2021
@waldyrious
Copy link

To expand on @mattwelke's comment, the localtunnel dependency was upgraded from 1.9.2 to ^2.0.0 back in July; so as soon as 2.0.1 (which matches the ^2.0.0 version spec) on localtunnel was released with the fix, any new installations of browser-sync will now automatically pick that up. Yay for caret version ranges!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@waldyrious @englishextra @thomas-gordon @alexkuc @mattwelke @matthewmascord @hiphopappotamus