Dependency Security: Axios Cross-Site Request Forgery Vulnerability - Githubissues

DavidWells / analytics

Lightweight analytics abstraction layer for tracking page views, custom events, & identifying visitors

https://getanalytics.io

MIT License

2.43k stars 247 forks source link

Dependency Security: Axios Cross-Site Request Forgery Vulnerability #419

Open roninCode opened 8 months ago

roninCode commented 8 months ago

There is a Axios Cross-Site Request Forgery Vulnerability dependency in the @analytics/segment plugin.

Dependabot is stating: @analytics/segment@1.1.3 requires axios@^0.21.1 via a transitive dependency on analytics-node@3.5.0 (https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/package.json#L56)

Looks like analytics-node is a deprecated repo with no more support.

analytics-node suggests using this repo instead: https://github.com/segmentio/analytics-next/tree/master/packages/node#readme

Any way you can replace analytics-node with analytics-next?

DavidWells commented 8 months ago

Axios is just making calls directly to segment https://github.com/segmentio/analytics-node/blob/master/index.js#L303 I don't think this security warning will have any impact on you.

If you are just using segment in the browser you can completely ignore the warning as axios is only used serverside in node.

I won't be updating the node package anytime soon but am ppen to PRs to refactor https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/src/node.js to the latest version of the segment node package. https://segment.com/docs/connections/sources/catalog/libraries/server/node/migration/