mollie-api-node
mollie-api-node copied to clipboard
mollie
Axios Dependancy
Hello I saw that mollie-api-node run with an old version of Axios. Here is my npm audit logs :
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/@mollie/api-client/node_modules/axios
@mollie/api-client <=3.7.0
Depends on vulnerable versions of axios
node_modules/@mollie/api-client
I solve the issue on my side installing this :
npm install npm-force-resolutions --save-dev
Then add this on the package.json :
"resolutions": {
"axios": "1.6.8"
}
"scripts": {
// add to existing scripts
"preinstall": "npx npm-force-resolutions"
}
Then npm run preinstall to upgrade.
Yeah, would like to see this updated as well.
As per advisory https://github.com/advisories/GHSA-wf5p-g6vw-rhxx, the minimum patched version would be 0.28.0
To patch this in your own repo for now (when using pnpm), add this to your package.json, and run pnpm i
"pnpm": {
"overrides": {
"axios": "^0.28.0"
}
}
Thanks for opening this issue.
The vulnerability in question can potentially reveal a secret stored in a cookie to untrusted servers. This client is not designed to run in a browser, so cookies are not a concern. Furthermore, the client connects to the Mollie server exclusively. The vulnerability therefore does not affect this client or its users, which is why no emergency release was made in response to it.
With that said, we plan to release a new version no later than next week.
If that is not soon enough, install the beta version:
npm install @mollie/api-client@beta
We are working on a version of the client which uses fetch internally, swapping out Axios altogether. It hasn't been thoroughly tested, but it seems we will go with this approach in 4.0.0.
Until then ‒ provided that you're on Node.js 14+ ‒ you can use the beta version:
npm install @mollie/api-client@beta
The current version on master uses fetch instead of Axios. Version 4.0.0 will include this change.