Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security issue in dependency #1171

Closed
2 of 4 tasks
wtrzy opened this issue Aug 13, 2024 · 7 comments
Closed
2 of 4 tasks

security issue in dependency #1171

wtrzy opened this issue Aug 13, 2024 · 7 comments
Labels
bug Something isn't working

Comments

@wtrzy
Copy link

wtrzy commented Aug 13, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

Performing npm audit returns security issue inside axios.

# npm audit 
# npm audit report

axios  >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios

1 high severity vulnerability

To address all issues, run:
  npm audit fix

Minimum reproduction code

GHSA-8hc4-vh64-cxmj

Steps to reproduce

  1. npm audit
  2. npm audit fix
  3. npm audit

Expected behavior

npm audit | grep "found 0 vulnerabilities"

Package version

3.0.2

NestJS version

10.4.0

Node.js version

20.12.2

In which operating systems have you tested?

  • macOS
  • Windows
  • Linux

Other

VSCode devcontainer running Oracle Linux 8
@wtrzy wtrzy added the bug Something isn't working label Aug 13, 2024
@kiknaio
Copy link

kiknaio commented Aug 13, 2024

Issue is related to Axios SSRF vulnerability. Here's more details on that https://security.snyk.io/vuln/SNYK-JS-AXIOS-7361793

@paskaran
Copy link

paskaran commented Aug 13, 2024
edited
Loading

We also facing issues in our Audit pipeline too.. Is there a fix planned ?

@KieranMarienAppfoundry
Copy link

We also facing issues in our Audit pipeline too.. Is there a fix planned ?

axios/axios#6539

We need to wait for this pr to merge.

@paskaran
Copy link

We also facing issues in our Audit pipeline too.. Is there a fix planned ?

axios/axios#6539

We need to wait for this pr to merge.

Thanks 😃

@SmartByt3r
Copy link

We also facing issues in our Audit pipeline too.. Is there a fix planned ?

axios/axios#6539

We need to wait for this pr to merge.

PR already merged 😀

@KieranMarienAppfoundry
Copy link

We also facing issues in our Audit pipeline too.. Is there a fix planned ?

axios/axios#6539
We need to wait for this pr to merge.

PR already merged 😀

Yup but they need to release it as V1.7.4. I assumed that would happen after the merge but i seems like there's issues with it. Cause it changes the way some things are handled(not spec compliant I believe). But they are working on a fix.

axios/axios#6463 (comment). axios/axios#6539 (comment).

Once 1.7.4 the bot will automatically update it. (I think)

@kamilmysliwiec
Copy link
Member

#1173

@nestjs nestjs locked and limited conversation to collaborators Aug 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kiknaio @paskaran @SmartByt3r @kamilmysliwiec @wtrzy @KieranMarienAppfoundry