Azurite
Azurite copied to clipboard
Azure
Outdated nested dependencies with moderate severity security issues
Which service(blob, file, queue, table) does this issue concern?
NA
Which version of the Azurite was used?
3.26.0
Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)
npm
What's the Node.js version?
18.14.1
What problem was encountered?
We have identified security vulnerabilities in Azurite's dependencies and would like to bring them to your attention. These vulnerabilities pose potential risks to the overall security of Azurite.
- tough-cookie < 4.1.3 - GHSA-72xf-g2v4-qvf3
- xml2js < 0.5.0 - GHSA-776f-qx25-q3cc
Both of these vulnerable packages originate from the direct dependency "@azure/ms-rest-js": "^1.5.0", which eventually resolves into "1.11.2" (the latest minor version). Please note that other nested packages could depend on the vulnerable ones.
"@azure/ms-rest-js": {
"version": "1.11.2",
"resolved": "https://registry.npmjs.org/@azure/ms-rest-js/-/ms-rest-js-1.11.2.tgz",
"integrity": "sha512-2AyQ1IKmLGKW7DU3/x3TsTBzZLcbC9YRI+yuDPuXAQrv3zar340K9wsxU413kHFIDjkWNCo9T0w5VtwcyWxhbQ==",
"requires": {
"@azure/core-auth": "^1.1.4",
"axios": "^0.21.1",
"form-data": "^2.3.2",
"tough-cookie": "^2.4.3",
"tslib": "^1.9.2",
"tunnel": "0.0.6",
"uuid": "^3.2.1",
"xml2js": "^0.4.19"
},
Steps to reproduce the issue?
NA
Have you found a mitigation/solution?
Update the outdated dependencies :)
Hello @blueww and @EmmaZhu
Just to let you know, there are other nested libs besides the one I specified depending on the vulnerable packages.
I managed to find some of them in the package-lock file: @azure/core-http, azure-storage (dev dep), and request (dev dep).
@Dezzley
There might be a lot of code change for "@azure/ms-rest-js" upgrade, @EmmaZhu is working on that and should can give more details.
@EmmaZhu are there any updates regarding this? Azurite (and @azure/ms-rest-js) has a dependency on an old and vulnerable axios version. Do you have an ETA for when the upgrade would be done?
