search

Edgar-P-yan / node-sms-ru

✉️ SMS.ru phone messaging service's node.js client
https://edgar-p-yan.github.io/node-sms-ru/
MIT License
6 stars 2 forks source link

Уязвимость в пакете axios #23

Closed stepanzin closed 2 weeks ago

stepanzin commented 4 months ago

Команда аудита выдает такой отчет:

# npm audit report

axios  <=0.27.2
Severity: high
Axios vulnerable to Server-Side Request Forgery - https://github.com/advisories/GHSA-4w2v-q235-vp99
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Depends on vulnerable versions of follow-redirects
No fix available
node_modules/node-sms-ru/node_modules/axios
  node-sms-ru  *
  Depends on vulnerable versions of axios
  node_modules/node-sms-ru

follow-redirects  <=1.15.5
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
No fix available
node_modules/node-sms-ru/node_modules/follow-redirects

Проблема заключается в явно указанной версии axios в package.json. Предлагаю поступить похожим образом как в пакете @nestjs/axios (https://github.com/nestjs/axios/blob/e90b6296ecfb03d73f9ab53e673436d033ea9a82/package.json#L49)

Edgar-P-yan commented 2 weeks ago

В новой версии v0.3.0 обновил версию, теперь последнюю берет. Перенести его в peerDependencies неплохая идея, но для такого маленькой утилиты как node-sms-ru хочется все держать в максимально простом виде.