Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update axios to 1.6.1 to fix CVE-2023-45857 #147

Merged
merged 2 commits into from
Nov 14, 2023
Merged

fix: update axios to 1.6.1 to fix CVE-2023-45857 #147

merged 2 commits into from
Nov 14, 2023

Conversation

AndrewMax
Copy link

@AndrewMax AndrewMax commented Nov 7, 2023
edited
Loading

Axios was recently updated to fix CVE-2023-45857. This PR is to update to axios 1.6.0.

@AndrewMax AndrewMax closed this Nov 7, 2023
@AndrewMax AndrewMax reopened this Nov 7, 2023
@AndrewMax AndrewMax mentioned this pull request Nov 7, 2023
Closed
@tahaiftekhar
Copy link

This should be merged sooner rather than later

@seanputera
Copy link

Thank you!

@AndrewMax
Copy link
Author

AndrewMax commented Nov 8, 2023
edited
Loading

@jeffbski Can this get some attention please? Thanks a lot.

For more context: CVE-2023-45857 (CWE-359) XSRF-TOKEN value is disclosed to an unauthorised actor, fixed in axios 1.6.0.

@denysoblohin-okta denysoblohin-okta mentioned this pull request Nov 8, 2023
Merged
@pat-s
Copy link

pat-s commented Nov 10, 2023

And update and a subsequent release would be great!

@AndrewMax AndrewMax mentioned this pull request Nov 11, 2023
Open
@6543 6543 mentioned this pull request Nov 12, 2023
Closed
@pnappa pnappa mentioned this pull request Nov 12, 2023
Closed
ghost
ghost reviewed Nov 13, 2023
View reviewed changes
package.json Outdated
@@ -38,7 +38,7 @@
"temp": "^0.9.4"
},
"dependencies": {
"axios": "^0.27.2",
"axios": "^1.6.0",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can directly upgrade to 1.6.1.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@porschesstein Thanks, updated. When I originally opened this PR, the latest version of Axios was still 1.6.0.

@AndrewMax AndrewMax changed the title fix: update axios to 1.6.0 to fix CVE-2023-45857 fix: update axios to 1.6.1 to fix CVE-2023-45857 Nov 13, 2023
@AndrewMax AndrewMax requested a review from a user November 13, 2023 16:04
@benasher44
Copy link

Guess we'll just have to wait-on this PR.

@wellwelwel
Copy link

Tested locally and worked perfectly 🚀

@wellwelwel wellwelwel mentioned this pull request Nov 14, 2023
Merged
19 tasks
@littleamigo
Copy link

I hope this gets merged soon and then released! Looking forward...

@reesscot reesscot mentioned this pull request Nov 14, 2023
Merged
5 tasks
@jeffbski jeffbski merged commit fc27d1b into jeffbski:master Nov 14, 2023
@jeffbski
Copy link
Owner

Thanks @AndrewMax for the PR and for those that confirmed it. It is published to wait-on@7.2.0

https://github.com/jeffbski/wait-on/releases/tag/v7.2.0

@AndrewMax AndrewMax deleted the amaks/fix/axios-1.6.0 branch November 14, 2023 18:42
This was referenced Nov 14, 2023
Closed
Merged
@patrick-hardin patrick-hardin mentioned this pull request Nov 14, 2023
Merged
facebook-github-bot pushed a commit to WhatsApp/erlang-language-platform that referenced this pull request Nov 29, 2023
@robertoaloi @facebook-github-bot
Bump wait-on to 7.2.0 to address vulnerability
987b28b 
Summary: As per title. This avoids the axios vulnerability thanks to jeffbski/wait-on#147.

Reviewed By: alanz

Differential Revision: D51544987

fbshipit-source-id: f15a001aa1eaab14935cf521dd26dfa3938489e6
@wvanderdeijl wvanderdeijl mentioned this pull request Dec 19, 2023
Open
@JamesBurnside JamesBurnside mentioned this pull request Jan 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seanputera seanputera seanputera approved these changes

@wellwelwel wellwelwel wellwelwel approved these changes

@mboere-seek mboere-seek mboere-seek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@AndrewMax @tahaiftekhar @seanputera @pat-s @benasher44 @wellwelwel @littleamigo @jeffbski @mboere-seek