Closed JamesBurnside closed 2 months ago
update-notifier also needs update: https://github.com/yeoman/update-notifier/issues/218
Fixed in 6.0.0 (Jun 23, 2022), latest version 7.0.0 (Oct 27, 2023).
Complete audit report:
axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @azure/static-web-apps-cli@0.2.1, which is a breaking change
node_modules/axios
wait-on 5.0.0-rc.0 - 7.1.0
Depends on vulnerable versions of axios
node_modules/wait-on
@azure/static-web-apps-cli >=0.3.0
Depends on vulnerable versions of update-notifier
Depends on vulnerable versions of wait-on
node_modules/@azure/static-web-apps-cli
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @azure/static-web-apps-cli@0.2.1, which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
Let's generalize this and ensure all "npm audit" packages are upgraded.
tl;dr -
wait-on
dependency needs updated to updateaxios
sub-dependency versionDescribe the bug Nested dependency axios needs updated for CVE-2023-45857 (https://github.com/axios/axios/issues/6006) this is fixed in axios. This dependency appears to stem from the
wait-on
package that has since updated to fix this: https://github.com/jeffbski/wait-on/pull/147Expected outcome Update wait-on dependency to v7.2.0+