Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Release Notes
axios/axios
### [`v0.21.1`](https://togithub.com/axios/axios/blob/master/CHANGELOG.md#0211-December-21-2020)
[Compare Source](https://togithub.com/axios/axios/compare/v0.21.0...v0.21.1)
Fixes and Functionality:
- Hotfix: Prevent SSRF ([#3410](https://togithub.com/axios/axios/issues/3410))
- Protocol not parsed when setting proxy config from env vars ([#3070](https://togithub.com/axios/axios/issues/3070))
- Updating axios in types to be lower case ([#2797](https://togithub.com/axios/axios/issues/2797))
- Adding a type guard for `AxiosError` ([#2949](https://togithub.com/axios/axios/issues/2949))
Internal and Tests:
- Remove the skipping of the `socket` http test ([#3364](https://togithub.com/axios/axios/issues/3364))
- Use different socket for Win32 test ([#3375](https://togithub.com/axios/axios/issues/3375))
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
- Daniel Lopretto
- Jason Kwok
- Jay
- Jonathan Foster
- Remco Haszing
- Xianming Zhong
### [`v0.21.0`](https://togithub.com/axios/axios/blob/master/CHANGELOG.md#0210-October-23-2020)
[Compare Source](https://togithub.com/axios/axios/compare/v0.20.0...v0.21.0)
Fixes and Functionality:
- Fixing requestHeaders.Authorization ([#3287](https://togithub.com/axios/axios/pull/3287))
- Fixing node types ([#3237](https://togithub.com/axios/axios/pull/3237))
- Fixing axios.delete ignores config.data ([#3282](https://togithub.com/axios/axios/pull/3282))
- Revert "Fixing overwrite Blob/File type as Content-Type in browser. ([#1773](https://togithub.com/axios/axios/issues/1773))" ([#3289](https://togithub.com/axios/axios/pull/3289))
- Fixing an issue that type 'null' and 'undefined' is not assignable to validateStatus when typescript strict option is enabled ([#3200](https://togithub.com/axios/axios/pull/3200))
Internal and Tests:
- Lock travis to not use node v15 ([#3361](https://togithub.com/axios/axios/pull/3361))
Documentation:
- Fixing simple typo, existant -> existent ([#3252](https://togithub.com/axios/axios/pull/3252))
- Fixing typos ([#3309](https://togithub.com/axios/axios/pull/3309))
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
- Allan Cruz
- George Cheng
- Jay
- Kevin Kirsche
- Remco Haszing
- Taemin Shin
- Tim Gates
- Xianming Zhong
### [`v0.20.0`](https://togithub.com/axios/axios/blob/master/CHANGELOG.md#0200-August-20-2020)
[Compare Source](https://togithub.com/axios/axios/compare/v0.19.2...v0.20.0)
Release of 0.20.0-pre as a full release with no other changes.
### [`v0.19.2`](https://togithub.com/axios/axios/blob/master/CHANGELOG.md#0192-Jan-20-2020)
[Compare Source](https://togithub.com/axios/axios/compare/v0.19.1...v0.19.2)
- Remove unnecessary XSS check ([#2679](https://togithub.com/axios/axios/pull/2679)) (see ([#2646](https://togithub.com/axios/axios/issues/2646)) for discussion)
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box.
This PR contains the following updates:
^0.19.0
->^0.21.0
GitHub Vulnerability Alerts
CVE-2020-28168
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Release Notes
axios/axios
### [`v0.21.1`](https://togithub.com/axios/axios/blob/master/CHANGELOG.md#0211-December-21-2020) [Compare Source](https://togithub.com/axios/axios/compare/v0.21.0...v0.21.1) Fixes and Functionality: - Hotfix: Prevent SSRF ([#3410](https://togithub.com/axios/axios/issues/3410)) - Protocol not parsed when setting proxy config from env vars ([#3070](https://togithub.com/axios/axios/issues/3070)) - Updating axios in types to be lower case ([#2797](https://togithub.com/axios/axios/issues/2797)) - Adding a type guard for `AxiosError` ([#2949](https://togithub.com/axios/axios/issues/2949)) Internal and Tests: - Remove the skipping of the `socket` http test ([#3364](https://togithub.com/axios/axios/issues/3364)) - Use different socket for Win32 test ([#3375](https://togithub.com/axios/axios/issues/3375)) Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub: - Daniel LoprettoConfiguration
📅 Schedule: "" (UTC).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.