Skip to content
This repository has been archived by the owner on Aug 29, 2023. It is now read-only.

NPM audit shows security problem in dependency "axios" #54

Open
cyril23 opened this issue Dec 15, 2021 · 3 comments
Open

NPM audit shows security problem in dependency "axios" #54

cyril23 opened this issue Dec 15, 2021 · 3 comments

Comments

@cyril23
Copy link

cyril23 commented Dec 15, 2021

Hi guys,

so this is my package.json:

{
  "name": "tplinkkasa",
  "version": "1.0.0",
  "description": "",
  "main": "server.js",
  "dependencies": {
    "tplink-cloud-api": "^0.8.1",
    "express": "^4.17.1",
    "body-parser": "^1.19.0"
  },
  "devDependencies": {},
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "start": "node server.js"
  },
  "author": "CY",
  "license": "ISC"
}

I'm using the current version 0.8.1 of tplink-cloud-api.
Further information:

$ node -v
v14.18.2
$ npm -v
8.3.0

Running npm audit shows me a warning because of 2 high severity vulnerabilities:

$ npm audit
# npm audit report

axios  <=0.21.1
Severity: high
Incorrect Comparison in axios - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Server-Side Request Forgery in Axios - https://github.com/advisories/GHSA-4w2v-q235-vp99
fix available via `npm audit fix --force`
Will install tplink-cloud-api@0.1.4, which is a breaking change
node_modules/axios
  tplink-cloud-api  >=0.2.0
  Depends on vulnerable versions of axios
  node_modules/tplink-cloud-api

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Obviously I won't run npm audit fix --force because I don't want to downgrade tplink-cloud-api to 0.1.4.

  • You currently use: "axios": "^0.18.1"
    "axios": "^0.18.1",
  • Looking at Incorrect Comparison in axios - GHSA-cph5-m8f7-6c5x:
    • Affected versions: <= 0.21.1
    • Patched versions: 0.21.2
  • Looking at Server-Side Request Forgery in Axios - GHSA-4w2v-q235-vp99:
    • Affected versions: < 0.21.1
    • Patched versions: 0.21.1
  • Therefore you should use at least Axios 0.21.2

Can you fix that, please?

@epfromer
Copy link

I too ran into this problem today while exploring this useful library. I lifted the login and switch code and was able to get things working directly in my app using native fetch(). @adumont if you are interested, I could look into replacing axios for fetch in a PR.

@adumont
Copy link
Owner

adumont commented Dec 18, 2021 via email

@epfromer
Copy link

#55 #

I updated all packages and stuck with axios since this repo doesn't necessarily work within DOM and have access to DOM fetch(). I also added an example app which I used to test the library. All original tests pass.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants