Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Moderate security vulnerability for versions of Axios 0.8.1 - 1.5.1 (Dependency) #76

Closed
OIRNOIR opened this issue Nov 12, 2023 · 14 comments · Fixed by #77
Closed

Moderate security vulnerability for versions of Axios 0.8.1 - 1.5.1 (Dependency) #76

OIRNOIR opened this issue Nov 12, 2023 · 14 comments · Fixed by #77

Comments

@OIRNOIR
Copy link
Contributor

OIRNOIR commented Nov 12, 2023

This shows a moderate security vulnerability in the npm audit text, since PM2 depends on this package. The fixed version is Axios 1.6.0 and higher. I suggest we migrate towards that one.
@OIRNOIR OIRNOIR mentioned this issue Nov 12, 2023
Merged
@RobinTail
Copy link

Reference: GHSA-wf5p-g6vw-rhxx

@globalexport
Copy link

Maybe it is time to leave axios for another library since the used v0.21.4 is far away from current state. Undici perhaps?

@buffcode
Copy link

@globalexport Axios is maintained. pm2/js-api isn't maintained enough to keep up with dependency updates ;)

@globalexport
Copy link

@buffcode You are right. Although it would be nice to avoid having such a dependency at all. I am getting audit failures for dozens of projects just because of this case everyday. And it's open for two weeks now. :/

@MartinFalatic
Copy link

Any package that isn't maintained enough to keep up with vulnerabilities is effectively dead. Either the vulnerability should be fixed or the package replaced.

@OIRNOIR
Copy link
Contributor Author

OIRNOIR commented Dec 5, 2023

Any package that isn't maintained enough to keep up with vulnerabilities is effectively dead. Either the vulnerability should be fixed or the package replaced.

The package itself's vulnerability has been fixed. We are just using a severely outdated version of said package. We need to update the package or else it is this project that becomes "effectively dead".

@bugsounet bugsounet mentioned this issue Dec 8, 2023
Closed
@JackHammer29
Copy link

Any update on this please?

@OIRNOIR
Copy link
Contributor Author

OIRNOIR commented Dec 8, 2023

Any update on this please?

We're still waiting for @Unitech to review my PR. It's honestly getting annoying seeing Dependabot email me about this vulnerability.

@guizzo
Copy link

guizzo commented Dec 13, 2023

@Unitech Any update?

@estevanpedro
Copy link

How do i fix this? Should i stop using pm2? What are the others options/solutions?

This was referenced Dec 23, 2023
Closed
Closed
@smo043
Copy link

smo043 commented Dec 23, 2023

Added details here - Unitech/pm2#5728

@dgrebb dgrebb mentioned this issue Jan 9, 2024
Closed
@boxexchanger
Copy link

@Unitech any update?

@Unitech
Copy link
Member

Unitech commented Jan 20, 2024

fixed via pm2@5.3.1

@kopacko
Copy link

kopacko commented Mar 15, 2024

The UUID version issue is not fixed with pm2 v5.3.1.

/usr/lib
├─┬ pm2@5.3.1
│ └─┬ @pm2/io@5.0.2
│   ├─┬ @opencensus/core@0.0.9
│   │ └── uuid@3.4.0
│   └─┬ @opencensus/propagation-b3@0.0.8
│     ├─┬ @opencensus/core@0.0.8
│     │ └── uuid@3.4.0 deduped
│     └── uuid@3.4.0 deduped
└── uuid@9.0.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updates dependencies so that vulnerabilities are no longer present.