Please upgrade axios in the @sendgrid/client since it has security issue

Question

Please upgrade axios in the @sendgrid/client since it has security issue

Closed this issue 3 years ago · 8 comments

Issue Summary

@sendgrid/client has dependecy to axios@0.21.4, and that version of axios has a high severity security issue (as per whitesource) Please see below image, and seems issue is resolved on any version higher than 0.21.4.

Technical details:

sendgrid-client version: 7.6.0
node version: 16

Answer 1 · 2021-11-08T21:56:48.000Z

This issue has been added to our internal backlog to be prioritized. Pull requests and +1s on the issue summary will help it move up the backlog.

Answer 2 · 2022-01-19T06:39:10.000Z

Hi @eshanholtz any update on upgrading axios@0.21.4 to the latest to fix security vulnerability in @sendgrid/client ?

Answer 3 · 2022-01-20T14:39:52.000Z

Hi @eshanholtz any update on this, If need any detail or help let me know? Due to this issue our production release on hold.
This has been raised since November.

Answer 4 · 2022-01-20T15:47:29.000Z

@eshanholtz it's. high severity issue. Should help with prioritization.

This is the issue: GHSA-74fj-2j2h-c42q

This is how it ends up to the sendgrid libraries:

follow-redirects@1.14.4
node_modules/follow-redirects
  follow-redirects@"^1.14.0" from axios@0.21.4
  node_modules/axios
    axios@"^0.21.4" from @sendgrid/client@7.6.0
    node_modules/@sendgrid/client
      @sendgrid/client@"^7.5.0" from the root project
      @sendgrid/client@"^7.6.0" from @sendgrid/mail@7.6.0
      node_modules/@sendgrid/mail
        @sendgrid/mail@"^7.6.0" from the root project

Answer 5 · 2022-01-20T20:41:44.000Z

if you are using npm >=8.3.0, you can add "overrides": {} section to your package.json and force another version of axios, until this is fixed, please make sure you will do regression in case there was a breaking change

https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

Answer 6 · 2022-02-04T12:37:54.000Z

@RezaRahmati tried to use overrides property of package.json to override axios version to 0.25.0 but couldn't succeed.
sample 1 :

{
    "dependencies": {
        "@sendgrid/mail": "^7.6.0",
        "bluebird": "^3.5.1",
    }
    "overrides": {
         "axios": "0.25.0"
    }
}

sample 2 :

{
    "dependencies": {
        "@sendgrid/mail": "^7.6.0",
        "bluebird": "^3.5.1",
    }
    "overrides": {
         "@sendgrid/mail": {
             "@sendgrid/client": {
                  "axios": "0.25.0"
              }
         }
    }
}

Could you please share code change for the same?

Node : 14.19.0
npm : 6.14.16

Answer 7 · 2022-02-04T17:33:42.000Z

@RezaRahmati tried to use overrides property of package.json to override axios version to 0.25.0 but couldn't succeed. sample 1 :
{
    "dependencies": {
        "@sendgrid/mail": "^7.6.0",
        "bluebird": "^3.5.1",
    }
    "overrides": {
         "axios": "0.25.0"
    }
}
sample 2 :
{
    "dependencies": {
        "@sendgrid/mail": "^7.6.0",
        "bluebird": "^3.5.1",
    }
    "overrides": {
         "@sendgrid/mail": {
             "@sendgrid/client": {
                  "axios": "0.25.0"
              }
         }
    }
}
Could you please share code change for the same?

Node : 14.19.0 npm : 6.14.16

please read my answer again, it needs node >= 8.3.0

Answer 8 · 2022-03-21T14:58:08.000Z

Fixed by #1347