cldr-data-downloader icon indicating copy to clipboard operation
cldr-data-downloader copied to clipboard

Published 20 hours ago verified publisher icon rxaviers

The version of the Axios used has a CSRF security vulnerability

Open elezar42 opened this issue 1 year ago • 2 comments

There is a CSRF security vulnerability that exists in most versions of Axios, including the version used by cldr-data-downloader. It needs to be updated to version 1.6.0 or later to resolve that vulnerability.

https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

elezar42 avatar Jan 11 '24 03:01 elezar42

I think this project has been abandoned. There haven't been any commits in almost 2 years, and the owner hasn't responded to any issues in that long either. I've done some brief testing, and it looks like cldr-data-downloader works fine with the current latest version of Axios. So until/unless this package is updated, you can put an override in your own project's package.json to force it to use a version of Axios that has the vulnerability fixed:

    "overrides": {
        "[email protected]": {
            "axios": "1.6.5"
        }
    }

elezar42 avatar Jan 18 '24 18:01 elezar42

https://github.com/rxaviers/cldr-data-downloader/pull/68

MehmetYararVX avatar Apr 15 '24 11:04 MehmetYararVX