Security issue in axios dependency

Question

Security issue in axios dependency

tiltingpenguin opened this issue 6 months ago · 5 comments

There was a SSRF security vulnerability found in axios (CVE-2024-39338), could you bump the version of axios used to 1.7.4 which is the patched version?

references:

Answer 1 · 2024-08-21T14:17:49.000Z

@tiltingpenguin can you point to a place in code where axios is used?

Answer 2 · 2024-08-21T14:46:04.000Z

axios is a dependency of a dependency ( nx ), but the vulnerable version is pulled in as you can see in the package-lock.json in line 6869. I can't say exactly if vulnerable code is used by nbdime as I haven't looked into it that deeply, but is there a reason to not update it?

Answer 3 · 2024-08-21T15:14:56.000Z

Feel welcome to update it! This was just to highlight that axios is likely NOT used in the code shipped by nbdime (nor is nx).

See also jupyterlab/jupyterlab#16698

Answer 4 · 2024-08-21T15:44:39.000Z

Thanks for making me aware of this. We got a bug in openSUSE Tumbleweed about the security issue, so I will update it just to be safe. But it would be great if you could provide a list of packages that are actually shipped in the future like in the jupyterlab issue you linked.

Answer 5 · 2024-08-21T15:52:21.000Z

Thanks for the context and sorry for brevity.

But it would be great if you could provide a list of packages that are actually shipped in the future like in the jupyterlab issue you linked

Great to hear it would be useful! I wonder how we can make this easier for everyone. I know that GitHub recognised this problem with dependabot by allowing to auto-dismiss likely false positives (e.g. from packages only used in devDependencies): https://github.blog/changelog/2023-05-02-dependabot-alerts-now-automatically-dismiss-false-positives-for-npm-public-beta/