Axios 0.18.0 Vulnerabilties

Question

Axios 0.18.0 Vulnerabilties

chughts opened this issue 5 years ago · 5 comments

The Node-RED Watson nodes which depend on IBM-Watson, and in turn node-sdk-core are no-longer deploying in IBM Cloud due to a vulnerability in Axios 0.18.0.

The current release of node-sdk-core has a dependancy to Axios at 0.18.0

The dependancy in node-sdk-core needs to be bumped to remove this vulnerability.

Answer 1 · 2020-05-13T09:41:26.000Z

Update: This appears to be a problem associated with the rebuild / restage of existing cloud foundry applications. New IBM Cloud applications deploy successfully.

Leading me to think that there may be an incompatibility with Axios and older cloud foundry build packs and / or node.js versions.

Answer 2 · 2020-05-14T16:49:07.000Z

@chughts I'm hoping that #96 resolves this issue. @MasterOdin left a comment about why you may be seeing the behavior you mentioned above. Let me know if you are able to resolve the deployment and we can close this issue.

Answer 3 · 2020-05-15T09:36:52.000Z

@dpopp07 That explanation makes sense. It's something to be aware of for me. After your update, and hopefully IBM-Watson's, I can make a dependency change which node-red deployments can force by bumping the node-red dependancy on the Watson nodes.

In the meantime I can ask them to force the axis bump by adding in a direct dependancy to node-sdk-core at 2.4.1

Answer 4 · 2020-05-15T13:34:23.000Z

I'll try a direct dependency on
"ibm-cloud-sdk-core":"2.4.1"

Answer 5 · 2020-05-15T13:42:18.000Z

Making a direct dependency on 2.4.1 probably will not fix the axios issue if there's a package-lock.json file involved as it will not bump the versions of transient dependencies (so you'll be using ibm-cloud-sdk-core 2.4.1 with axios 0.18.0. A 2.4.2 release (which I guess #97 is warning about?) needs to be cut that specifies axios ^0.18.1 and then doing a direct dependency on ibm-cloud-sdk-core would work for existing projects.