Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New vulnerability detected in Node dependency axios #12085

Closed
terrytangyuan opened this issue Oct 26, 2023 · 4 comments · Fixed by #12111
Closed

New vulnerability detected in Node dependency axios #12085

terrytangyuan opened this issue Oct 26, 2023 · 4 comments · Fixed by #12111
Labels
javascript Pull requests that update Javascript dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related

Comments

@terrytangyuan
Copy link
Member

terrytangyuan commented Oct 26, 2023
edited
Loading

Master branch failed with:

 Issues with no direct upgrade or patch:
  ✗ Cross-site Request Forgery (CSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459] in axios@1.5.1
    introduced by swagger-ui-react@4.19.1 > swagger-client@3.23.1 > @swagger-api/apidom-reference@0.78.0 > axios@1.5.1
  No upgrade or patch available

https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

There is a documented workaround that we can use or wait for a new axios patch.
@terrytangyuan terrytangyuan added the type/security Security related label Oct 26, 2023
@agilgur5 agilgur5 added type/dependencies PRs and issues specific to updating dependencies javascript Pull requests that update Javascript dependencies labels Oct 26, 2023
@agilgur5
Copy link

agilgur5 commented Oct 26, 2023
edited
Loading

This is pretty deep in swagger-ui-react's usage, so I don't think we'd be able to configure the workaround. Will probably have to wait for a patch

I'm not sure if we're actually affected by it either though, since it only occurs on a specific codepath and I don't think the API docs require a cookie (but idk how swagger-ui-react is configuring the request)

@terrytangyuan
Copy link
Member Author

terrytangyuan commented Oct 26, 2023
edited
Loading

The issue in axios seems very active so I would expect a patch would be available soon.

terrytangyuan added a commit to terrytangyuan/argo-workflows that referenced this issue Oct 31, 2023
@terrytangyuan
fix: Upgrade axios to v1.6.0. Fixes argoproj#12085
d6e688a 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
@terrytangyuan terrytangyuan mentioned this issue Oct 31, 2023
Merged
@terrytangyuan
Copy link
Member Author

Bumped version in #12111

@agilgur5
Copy link

The issue in axios

For reference: axios/axios#6006, axios/axios#6022

terrytangyuan added a commit that referenced this issue Oct 31, 2023
@terrytangyuan
fix: Upgrade axios to v1.6.0. Fixes #12085 (#12111)
f200826 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Yuan (Terry) Tang <terrytangyuan@gmail.com>
Co-authored-by: Anton Gilgur <4970083+agilgur5@users.noreply.github.com>
terrytangyuan added a commit that referenced this issue Nov 3, 2023
@terrytangyuan
fix: Upgrade axios to v1.6.0. Fixes #12085 (#12111)
2a044bf 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Yuan (Terry) Tang <terrytangyuan@gmail.com>
Co-authored-by: Anton Gilgur <4970083+agilgur5@users.noreply.github.com>
terrytangyuan added a commit that referenced this issue Nov 3, 2023
@terrytangyuan
fix: Upgrade axios to v1.6.0. Fixes #12085 (#12111)
9e04496 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Yuan (Terry) Tang <terrytangyuan@gmail.com>
Co-authored-by: Anton Gilgur <4970083+agilgur5@users.noreply.github.com>
dpadhiar pushed a commit to dpadhiar/argo-workflows that referenced this issue May 9, 2024
@terrytangyuan @agilgur5 @dpadhiar
fix: Upgrade axios to v1.6.0. Fixes argoproj#12085 (argoproj#12111)
f77d6a4 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Yuan (Terry) Tang <terrytangyuan@gmail.com>
Co-authored-by: Anton Gilgur <4970083+agilgur5@users.noreply.github.com>
Signed-off-by: Dillen Padhiar <dillen_padhiar@intuit.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
javascript Pull requests that update Javascript dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Upgrade axios to v1.6.0. Fixes #12085 terrytangyuan/argo-workflows
2 participants
@terrytangyuan @agilgur5