Update Axios package to latest version

Genability / genability-js

Node.js and Browser Javascript SDK for Genability APIs.

MIT License

0 stars 2 forks source link

Update Axios package to latest version #279

Open pkellysolbid opened 9 months ago

pkellysolbid commented 9 months ago

Axios package is throwing security vulnerability.

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Please update the axios package to the latest version >1.6.0

Thank you!

dlopuch commented 9 months ago

Thanks for flagging this. The version of Axios being used here is a bit behind and should be migrated to latest 1.x branch.

To help us triage, are you using this library in a frontend (proxied) or backend (nodejs) manner?

pkellysolbid commented 9 months ago

I am using it in a backend (nodejs) manner.

dlopuch commented 9 months ago

Thanks for clarifying. The XSRF vulnerability should be irrelevant to your usage then, but we hear you that your build chain is probably warning you non-stop about this.

Looks like there's some breaking changes in the axios 1.x branch, but we'll take a look at it. If it's a blocker for you, we encourage you to submit a community PR.