perry-mitchell
Audit issue in version 4.11.3
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/webdav/node_modules/axios
webdav 2.0.0-rc1 - 4.11.3
Depends on vulnerable versions of axios
node_modules/webdav
Hi! I'd recommend upgrading to the latest webdav as it's better to use fetch where available.
I'd accept a PR to update axios in v4 but don't have the bandwidth to do that myself right now.
I have the same problem as in issue #374. Using ESM Module I get the same error. Using feathers framework. I will check with the feathers developers how to solve that. Version 4 works fine :-) I read that you will deliver security updates for version 4, so I thought that's safe to use version 4.
~~I'll release a security patch for v4 once this PR drops.~~
Seems it's out - I'll try to get this resolved today.
The update is taking longer than expected as I have to update to the new major version of axios, from 0->1, which is hardly a patch..
I'll try to get it out today.
I'm not sure that upgrading Axios for v4 will be possible, as it's a major update and the update has breaking changes (node support). Please see my PR: #386
I updated deps and fixed what vulnerabilities were possible. Axios' moderate level vulnerability is less than ideal but it's the best that they're providing for v0, and due to that, I can't fix it on this side. If they release a patch for v0, which I doubt they will, I'll update it here.
Yeah CJS will make a comeback. It's just a bit of work as I'm not sure that Webpack is capable of it - CJS/ESM across the browser and node builds. Changing to rollup would work but that's a larger change. Let's see..