Azure
Latest Azurite version has vulnerable dependencies
This may be blocked by https://github.com/Azure/Azurite/issues/2470.
Steps to repro:
-
npm init -
npm install azurite --save --include=dev -
npm audit
The audit report suggests a downgrade to Azurite 3.12.0 despite having just installed Azurite 3.33.0.
There is no clear way to resolve the vulnerable package errors while staying on the latest Azurite version.
The audit report is here:
up to date, audited 308 packages in 2s
67 packages are looking for funding
run `npm fund` for details
# npm audit report
@azure/identity <4.2.1
Severity: moderate
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@azure/identity
tedious 11.0.9 - 18.2.0
Depends on vulnerable versions of @azure/identity
node_modules/tedious
azurite >=3.0.0-preview
Depends on vulnerable versions of @azure/ms-rest-js
Depends on vulnerable versions of axios
Depends on vulnerable versions of tedious
node_modules/azurite
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@azure/ms-rest-js/node_modules/axios
node_modules/axios
@azure/ms-rest-js <=2.6.6
Depends on vulnerable versions of axios
Depends on vulnerable versions of tough-cookie
Depends on vulnerable versions of xml2js
node_modules/@azure/ms-rest-js
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tough-cookie
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@azure/ms-rest-js/node_modules/xml2js
7 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Bumping this thread.
We are constantly running into CVEs through the use of axios in azurite, see the latest https://github.com/advisories/GHSA-jr5f-v2jv-69x6. Axios@0 is getting pulled in through transitive deps, and this issue https://github.com/Azure/Azurite/issues/2470 should resolve that.
Watching for updates -- seems like a general review of dependencies / dependency versions is in order.
There are still vulnerabilities in the latest version 3.35.0 . Any update on this? Audit report:
@azure/identity <4.2.1
Severity: moderate
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@azure/identity
tedious 11.0.9 - 18.2.0
Depends on vulnerable versions of @azure/identity
node_modules/tedious
azurite >=3.0.0-preview
Depends on vulnerable versions of @azure/ms-rest-js
Depends on vulnerable versions of axios
Depends on vulnerable versions of tedious
node_modules/azurite
axios <=0.29.0
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@azure/ms-rest-js/node_modules/axios
node_modules/azurite/node_modules/axios
@azure/ms-rest-js <=2.6.6
Depends on vulnerable versions of axios
Depends on vulnerable versions of tough-cookie
Depends on vulnerable versions of xml2js
node_modules/@azure/ms-rest-js
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tough-cookie
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@azure/ms-rest-js/node_modules/xml2js
7 vulnerabilities (4 moderate, 3 high)
To address all issues (including breaking changes), run:
npm audit fix --force```
Hello Azurite team, is there some update on this? Particularly the axios dependency is problematic for us.
This is a known issue, and the cost to fix it will be high. We are working on evaluate the size of the work, might will have a conclusion for the size in 1-2 weeks.
This is a known issue, and the cost to fix it will be high. We are working on evaluate the size of the work, might will have a conclusion for the size in 1-2 weeks.
Seems like #2566 would be a fast first step.
That opens up the possibility to use the native fetch implementation in Node 20 instead of @azure/ms-rest-js - which should cut the list of vulnerable dependencies significantly.
We are working on evaluate the size of the work, might will have a conclusion for the size in 1-2 weeks.
Are there any updates to share on this?
Over a year since this was opened and no updates in months.
This continues to fill up our daily Dependabot vulnerability alerts.
@blueww / @EmmaZhu - Did work for this ever get past the estimation & planning phase?
@EmmaZhu I think you are working on the deprecated dependency issue, would you please help to update?