Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency axios to ^1.7.4 [security] - autoclosed #29

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency axios to ^1.7.4 [security] - autoclosed #29

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 10, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
axios (source) ^1.4.0 -> ^1.7.4 age adoption passing confidence

Axios Cross-Site Request Forgery Vulnerability

CVE-2023-45857 / GHSA-wf5p-g6vw-rhxx

More information

Details

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Server-Side Request Forgery in axios

CVE-2024-39338 / GHSA-8hc4-vh64-cxmj

More information

Details

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Severity

High

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

axios/axios (axios)

v1.7.4

Compare Source

Bug Fixes
Contributors to this release

v1.7.3

Compare Source

Bug Fixes
Contributors to this release

v1.7.2

Compare Source

Bug Fixes
Contributors to this release

v1.7.1

Compare Source

Bug Fixes
  • fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#​6410) (733f15f)
Contributors to this release

v1.7.0

Compare Source

Features
Bug Fixes
Contributors to this release

v1.6.8

Compare Source

Bug Fixes
  • AxiosHeaders: fix AxiosHeaders conversion to an object during config merging (#​6243) (2656612)
  • import: use named export for EventEmitter; (7320430)
  • vulnerability: update follow-redirects to 1.15.6 (#​6300) (8786e0f)
Contributors to this release

v1.6.7

Compare Source

Bug Fixes
  • capture async stack only for rejections with native error objects; (#​6203) (1a08f90)
Contributors to this release

v1.6.6

Compare Source

Bug Fixes
Contributors to this release

v1.6.5

Compare Source

Bug Fixes
Contributors to this release

v1.6.4

Compare Source

Bug Fixes
  • security: fixed formToJSON prototype pollution vulnerability; (#​6167) (3c0c11c)
  • security: fixed security vulnerability in follow-redirects (#​6163) (75af1cd)
Contributors to this release

v1.6.3

Compare Source

Bug Fixes
Contributors to this release

v1.6.2

Compare Source

Features
  • withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#​6046) (cff9967)
PRs
  • feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #​6046 )

📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.
Contributors to this release

v1.6.1

Compare Source

Bug Fixes
  • formdata: fixed content-type header normalization for non-standard browser environments; (#​6056) (dd465ab)
  • platform: fixed emulated browser detection in node.js environment; (#​6055) (3dc8369)
Contributors to this release

v1.6.0

Compare Source

Bug Fixes
PRs

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
Contributors to this release

1.5.1 (2023-09-26)

Bug Fixes
  • adapters: improved adapters loading logic to have clear error messages; (#​5919) (e410779)
  • formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#​5917) (bc9af51)
  • headers: allow content-encoding header to handle case-insensitive values (#​5890) (#​5892) (4c89f25)
  • types: removed duplicated code (9e62056)
Contributors to this release
PRs

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

v1.5.1

Compare Source

Bug Fixes
  • adapters: improved adapters loading logic to have clear error messages; (#​5919) (e410779)
  • formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#​5917) (bc9af51)
  • headers: allow content-encoding header to handle case-insensitive values (#​5890) (#​5892) (4c89f25)
  • types: removed duplicated code (9e62056)
Contributors to this release

v1.5.0

Compare Source

Bug Fixes
  • adapter: make adapter loading error more clear by using platform-specific adapters explicitly (#​5837) (9a414bb)
  • dns: fixed cacheable-lookup integration; (#​5836) (b3e327d)
  • headers: added support for setting header names that overlap with class methods; (#​5831) (d8b4ca0)
  • headers: fixed common Content-Type header merging; (#​5832) (8fda276)
Features
Contributors to this release

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.6.0 [security] fix(deps): update dependency axios to ^1.6.0 [security] - autoclosed Aug 13, 2024
@renovate renovate bot closed this Aug 13, 2024
@renovate renovate bot deleted the renovate/npm-axios-vulnerability branch August 13, 2024 05:35
@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.6.0 [security] - autoclosed fix(deps): update dependency axios to ^1.6.0 [security] Aug 15, 2024
@renovate renovate bot restored the renovate/npm-axios-vulnerability branch August 15, 2024 05:46
@renovate renovate bot reopened this Aug 15, 2024
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 4d49dff to 6f39113 Compare August 15, 2024 05:47
@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.6.0 [security] fix(deps): update dependency axios to ^1.7.4 [security] Aug 15, 2024
@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.7.4 [security] fix(deps): update dependency axios to ^1.7.4 [security] - autoclosed Aug 28, 2024
@renovate renovate bot closed this Aug 28, 2024
@renovate renovate bot deleted the renovate/npm-axios-vulnerability branch August 28, 2024 23:40
@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.7.4 [security] - autoclosed fix(deps): update dependency axios to ^1.7.4 [security] Aug 29, 2024
@renovate renovate bot reopened this Aug 29, 2024
@renovate renovate bot restored the renovate/npm-axios-vulnerability branch August 29, 2024 17:47
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 6f39113 to 8ba43d6 Compare August 29, 2024 17:47
@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.7.4 [security] fix(deps): update dependency axios to ^1.7.4 [security] - autoclosed Sep 12, 2024
@renovate renovate bot closed this Sep 12, 2024
@renovate renovate bot deleted the renovate/npm-axios-vulnerability branch September 12, 2024 23:28
@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.7.4 [security] - autoclosed fix(deps): update dependency axios to ^1.7.4 [security] Sep 13, 2024
@renovate renovate bot reopened this Sep 13, 2024
@renovate renovate bot restored the renovate/npm-axios-vulnerability branch September 13, 2024 02:28
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 8ba43d6 to 4a8f046 Compare September 13, 2024 02:28
@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.7.4 [security] fix(deps): update dependency axios to ^1.7.4 [security] - autoclosed Sep 17, 2024
@renovate renovate bot closed this Sep 17, 2024
@renovate renovate bot deleted the renovate/npm-axios-vulnerability branch September 17, 2024 17:49
@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.7.4 [security] - autoclosed fix(deps): update dependency axios to ^1.7.4 [security] Sep 18, 2024
@renovate renovate bot reopened this Sep 18, 2024
@renovate renovate bot restored the renovate/npm-axios-vulnerability branch September 18, 2024 05:58
@renovate
fix(deps): update dependency axios to ^1.7.4 [security]
14f82c7 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 4a8f046 to 14f82c7 Compare September 18, 2024 05:58
@renovate renovate bot changed the title fix(deps): update dependency axios to ^1.7.4 [security] fix(deps): update dependency axios to ^1.7.4 [security] - autoclosed Oct 10, 2024
@renovate renovate bot closed this Oct 10, 2024
@renovate renovate bot deleted the renovate/npm-axios-vulnerability branch October 10, 2024 02:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
type:security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants