Closed vmashnitskaya closed 4 months ago
+1
npm audit
reports the following vulnerability:
axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Also seeing this. If you run npm audit fix --force
it downgrades the durable-functions
to 1.1.2
😢
- "durable-functions": "^3.0.0",
+ "durable-functions": "^1.1.2",
It should be update in both v2 and v3
@mmajcica Great, could you please release this update to NPM?
@mmajcica Great, could you please release this update to NPM?
What should I release? Axios is already there, released https://www.npmjs.com/package/axios I made a PR for Az Durable Functions Js with the package updated.
Oh, I misunderstood your earlier comment. I thought the PR was already merged. I was hoping for a new durable-functions
v2 release with the upgraded/patched Axios package.
Thanks, it looks like the axios issue should be fixed by https://github.com/Azure/azure-functions-durable-js/commit/22862a52590810119b067d57b3c81767a280b25e
The current released version is 3.0.0 which obviously does not have that commit. Are there plans to release a 3.0.1
or 3.1.0
version?
@pcj please see discussion here: https://github.com/Azure/azure-functions-durable-js/pull/540#issuecomment-1852850285. To summarize, the axios vulnerability is a false positive for the durable package but we still hope to have an update out soon.
3.0.1
is out, please close this issue, thanks!
@pcj We are still working on updating the v2.x branch as well, but we hit some issues with our tests running on Node 10. We will close this out soon.
Describe the bug The package contains an outdated axios version
Investigative information
Expected behavior Axios is updated to the latest version