Update axios package version

[vmashnitskaya]

Describe the bug The package contains an outdated axios version

Investigative information

• durable-functions npm module version: 3.0.0

Expected behavior Axios is updated to the latest version

[restfulhead]

+1 npm audit reports the following vulnerability:

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

[pcj]

Also seeing this. If you run npm audit fix --force it downgrades the durable-functions to 1.1.2 😢

-    "durable-functions": "^3.0.0",
+    "durable-functions": "^1.1.2",

[mmajcica]

It should be update in both v2 and v3

[restfulhead]

@mmajcica Great, could you please release this update to NPM?

[mmajcica]

@mmajcica Great, could you please release this update to NPM?

What should I release? Axios is already there, released https://www.npmjs.com/package/axios I made a PR for Az Durable Functions Js with the package updated.

[restfulhead]

Oh, I misunderstood your earlier comment. I thought the PR was already merged. I was hoping for a new durable-functions v2 release with the upgraded/patched Axios package.

[pcj]

Thanks, it looks like the axios issue should be fixed by https://github.com/Azure/azure-functions-durable-js/commit/22862a52590810119b067d57b3c81767a280b25e

The current released version is 3.0.0 which obviously does not have that commit. Are there plans to release a 3.0.1 or 3.1.0 version?

[ejizba]

@pcj please see discussion here: https://github.com/Azure/azure-functions-durable-js/pull/540#issuecomment-1852850285. To summarize, the axios vulnerability is a false positive for the durable package but we still hope to have an update out soon.

[pcj]

3.0.1 is out, please close this issue, thanks!

[castrodd]

@pcj We are still working on updating the v2.x branch as well, but we hit some issues with our tests running on Node 10. We will close this out soon.