prismarine-auth
prismarine-auth copied to clipboard
PrismarineJS
The dependency Axios has a security breach
Dependencies:
[email protected]
└─┬ @xboxreplay/[email protected]
└── [email protected]
Axios versions from 0.8.1 through 1.5.1 are affected by a moderate severity Cross-Site Request Forgery (CSRF) vulnerability, and the issue has been patched in version 1.6.0.
I talked to Alexis B who have made Xboxreplay and he will try to update to a new 5.0.0 version asap
2 notes: CSRF is only a thing in browsers, and it's only a problem if loading data from arbitrary URLs. For example, user is logged into a website, then someone on a Github comment posts a link to that website, then someone clicks it and the website does some action automatically on their behalf because their auth data was cached. Referrer checks, CORS, special headers, etc can block that.
Since prismarine-auth doesn't formally support the browser (due to CORS restrictions), and since the xboxlive auth dep shouldn't be loading dynamic websites, there is no security impact for prismarine-auth. However, just to note that dep is only used at all if password auth is used, not done by default. We may remove in the future, but updating to a new major version is breaking and would require code changes.
