jss icon indicating copy to clipboard operation
jss copied to clipboard
verified publisher icon Sitecore

Outdated axios depencency causes security vulnerability

Open jkesseler opened this issue 1 year ago • 4 comments

Describe the Bug

See: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx Please keep dependencies up-to-date

To Reproduce

Run npm install on any project depending in '@sitecore-jss/sitecore-jss'

Expected Behavior

No security vulnerabilites

Possible Fix

Keep dependencies up to date.

Provide environment information

  • Sitecore Version: Not applicable
  • JSS Version: 22
  • Browser Name and version: Not applicable
  • Operating System and version (desktop or mobile): Not applicable
  • Link to your project (if available): Not applicable

jkesseler avatar Jun 17 '24 14:06 jkesseler

Thank you for reporting this. It's in our backlog for further prioritization.

art-alexeyenko avatar Jun 28 '24 21:06 art-alexeyenko

+1

jamesryan-dev avatar Aug 02 '24 10:08 jamesryan-dev

Hello, is there any momentum on this?

banghelache44 avatar Sep 26 '24 14:09 banghelache44

Hey, @banghelache44, @jamesryan-dev in the jss team we keep coming back to the topic of upgrading (or removing) axios. Due to this being not as straightforward as probably seems and having other, higher priority things on our list we are still yet to start work on it. However, just last week we discussed to prioritize it so hopefully we'll have a solution soon..

yavorsk avatar Oct 07 '24 12:10 yavorsk

Noticed this one today as well. Can you actually just update it please, dear devs? I don't see anything breaking when I forcibly make it use a newer version.

With respect, this is taking way too long for such a minor code change. The current dependency version is almost 4 years old 😲 Kind of ridiculuous, frankly.

Currently I have this in our package.json:

"overrides": {
  "@sitecore-jss/sitecore-jss-nextjs": {
    "@sitecore-jss/sitecore-jss": {
      "axios": "^1.6.2"
    }
  }
}

And this works perfectly and flawlessly. I even went so far as to verify that it really is using this version at runtime, and it is.

As of currently, I can ~~probably~~ bump it to 1.7.7 and be totally and utterly fine.

@yavorsk

Due to this being not as straightforward as probably seems

Please have that discussion here. There is no need to scurry away in a room and have such discussion offline and in the dark (I'm just imagining 😀). Please share what is not straight-forward, people here can help. I for one, can tell you it absolutely is straight-forward.

This is 5 minutes work. Or 3 minutes if you hurry a little 😅

thany avatar Nov 22 '24 10:11 thany

We are also interested in the fix. The issue seems to be open for almost 6 months now.

rsrinivasanhome avatar Dec 11 '24 12:12 rsrinivasanhome

3 weeks since my last comment, and no response from the devs. Honestly, what does it take to get information out of them, or 5 minutes of their time to apply this fix? Now that it's also a security vulnerability, why the heck isn't this getting criticial priority?

Honestly, I feel Sitecore is an extremely backend-minded company that sees frontend stuff as a neccesary evil, and in general kind of an afterthought. Or maybe there's a very strict "what worked then, oughta work now" kind of mentality, which is frankly toxic. This wouldn't be the first issue that takes weeks and weeks and months and months to get somewhere, if anywhere.

But hey, I can still be proven wrong. I'd love to in this case.

thany avatar Dec 12 '24 10:12 thany

Sorry guys it is taking so long, I understand your frustration. The team hasn't forgotten about this, believe me. We'll have axios removed soon.

yavorsk avatar Dec 16 '24 16:12 yavorsk

It's not frustration, it's security. Take it seriously.

thany avatar Dec 17 '24 09:12 thany

Axios module has been removed as core dependency in 22.4.0 and can now be managed separately.

art-alexeyenko avatar Apr 08 '25 21:04 art-alexeyenko