Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Axios to a version without security errors #20211

Closed
1 of 4 tasks
jenseo opened this issue Nov 13, 2023 · 5 comments · Fixed by #20493
Closed
1 of 4 tasks

Upgrade Axios to a version without security errors #20211

jenseo opened this issue Nov 13, 2023 · 5 comments · Fixed by #20493
Labels
community This is a good first issue for contributing outdated scope: misc Misc issues type: bug

Comments

@jenseo
Copy link

jenseo commented Nov 13, 2023

Current Behavior

npm audit catches a CSR vulnerability in the axios devDependency of nx.

GHSA-wf5p-g6vw-rhxx

Expected Behavior

Bump axios to >=1.6.0 that patches the security issue.

GitHub Repo

No response

Steps to Reproduce

  1. Install nx in a project
  2. Run npm audit

Nx Report

Node   : 18.17.1
   OS     : darwin-arm64
   pnpm   : 8.9.0

   nx (global)  : 16.7.4
   nx           : 16.7.4
   @nrwl/tao    : 16.7.4
   typescript   : 5.2.2

Failure Logs

│ moderate            │ Axios Cross-Site Request Forgery Vulnerability         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ axios                                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.8.1 <1.6.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.6.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > nx@16.7.4 > axios@1.4.0                            │
│                     │                                                        │
│                     │ packages/nuxt-module > @nuxt/devtools@0.8.3 >          │
│                     │ wait-on@7.0.1 > axios@0.27.2                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-wf5p-g6vw-rhxx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
2 vulnerabilities found
Severity: 2 moderate

Package Manager Version

No response

Operating System

  • macOS
  • Linux
  • Windows
  • Other (Please specify)

Additional Information

No response
@AgentEnder AgentEnder added scope: misc Misc issues community This is a good first issue for contributing labels Nov 16, 2023
Phillip9587 added a commit to Phillip9587/nx that referenced this issue Nov 30, 2023
@Phillip9587
fix(core): update axios to address CVE-2023-45857
89c3589 
GHSA-wf5p-g6vw-rhxx

fixes nrwl#20211
@Phillip9587 Phillip9587 mentioned this issue Nov 30, 2023
Merged
Phillip9587 added a commit to Phillip9587/nx that referenced this issue Dec 12, 2023
@Phillip9587
fix(core): update axios to address CVE-2023-45857
c15a375 
GHSA-wf5p-g6vw-rhxx

fixes nrwl#20211
@aspergillusOryzae
Copy link

Will this be patched on nx v15.3.X too?

@matwebmasta
Copy link

Hi, same issue for v17.xx

@dodesheide
Copy link

Same issue for us.

mandarini pushed a commit to Phillip9587/nx that referenced this issue Jan 30, 2024
@Phillip9587 @mandarini
fix(core): update axios to address CVE-2023-45857
9e37bf0 
GHSA-wf5p-g6vw-rhxx

fixes nrwl#20211
@EelcoLos
Copy link

this is still the case with nx-cloud.
If I uninstall nx-cloud, I'd get

NX Could not find runner configuration for default

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 2, 2024

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
community This is a good first issue for contributing outdated scope: misc Misc issues type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(core): update axios to address CVE-2023-45857 Phillip9587/nx
6 participants
@matwebmasta @jenseo @EelcoLos @AgentEnder @aspergillusOryzae @dodesheide