Open roninCode opened 8 months ago
Axios is just making calls directly to segment https://github.com/segmentio/analytics-node/blob/master/index.js#L303 I don't think this security warning will have any impact on you.
If you are just using segment in the browser you can completely ignore the warning as axios is only used serverside in node.
I won't be updating the node package anytime soon but am ppen to PRs to refactor https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/src/node.js to the latest version of the segment node package. https://segment.com/docs/connections/sources/catalog/libraries/server/node/migration/
There is a
Axios Cross-Site Request Forgery Vulnerability
dependency in the@analytics/segment
plugin.Dependabot is stating:
@analytics/segment@1.1.3 requires axios@^0.21.1 via a transitive dependency on analytics-node@3.5.0
(https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/package.json#L56)Looks like
analytics-node
is a deprecated repo with no more support.analytics-node
suggests using this repo instead: https://github.com/segmentio/analytics-next/tree/master/packages/node#readmeAny way you can replace
analytics-node
withanalytics-next
?