[Snyk] Security upgrade axios from 0.21.4 to 0.31.1#349
Conversation
…bilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-16298058 - https://snyk.io/vuln/SNYK-JS-AXIOS-16299923
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
![semgrep-code-theredhatter[bot]](https://avatars.githubusercontent.com/u/54950022?s=60&v=4){kind=small}
| @@ -33557,6 +28991,16 @@ | |||
| "node": ">=10.0.0" | |||
| } | |||
| }, | |||
| "node_modules/wait-on/node_modules/axios": { | |||
There was a problem hiding this comment.
Medium severity vulnerability introduced by a package you're using:
Line 28994 lists a dependency (axios) with a known Medium severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.
To resolve this comment:
Upgrade this dependency to at least version 0.31.0 at client/package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| @@ -33557,6 +28991,16 @@ | |||
| "node": ">=10.0.0" | |||
| } | |||
| }, | |||
| "node_modules/wait-on/node_modules/axios": { | |||
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 28994 lists a dependency (axios) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.
To resolve this comment:
Check if you have NO_PROXY configured in your environment.
- If you're affected, upgrade this dependency to at least version 0.31.0 at client/package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| @@ -33557,6 +28991,16 @@ | |||
| "node": ">=10.0.0" | |||
| } | |||
| }, | |||
| "node_modules/wait-on/node_modules/axios": { | |||
There was a problem hiding this comment.
Medium severity vulnerability introduced by a package you're using:
Line 28994 lists a dependency (axios) with a known Medium severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.
To resolve this comment:
Upgrade this dependency to at least version 0.31.0 at client/package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| @@ -33557,6 +28991,16 @@ | |||
| "node": ">=10.0.0" | |||
| } | |||
| }, | |||
| "node_modules/wait-on/node_modules/axios": { | |||
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 28994 lists a dependency (axios) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.
To resolve this comment:
Check if you have NO_PROXY configured in your environment.
- If you're affected, upgrade this dependency to at least version 0.31.0 at client/package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
…bilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-16298058 - https://snyk.io/vuln/SNYK-JS-AXIOS-16299923
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
client/package.jsonclient/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-16298058
SNYK-JS-AXIOS-16299923
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.