Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
axios is vulnerable to Inefficient Regular Expression Complexity
Release Notes
axios/axios
### [`v0.21.2`](https://togithub.com/axios/axios/blob/master/CHANGELOG.md#0212-September-4-2021)
[Compare Source](https://togithub.com/axios/axios/compare/v0.21.1...v0.21.2)
Fixes and Functionality:
- Updating axios requests to be delayed by pre-emptive promise creation ([#2702](https://togithub.com/axios/axios/pull/2702))
- Adding "synchronous" and "runWhen" options to interceptors api ([#2702](https://togithub.com/axios/axios/pull/2702))
- Updating of transformResponse ([#3377](https://togithub.com/axios/axios/pull/3377))
- Adding ability to omit User-Agent header ([#3703](https://togithub.com/axios/axios/pull/3703))
- Adding multiple JSON improvements ([#3688](https://togithub.com/axios/axios/pull/3688), [#3763](https://togithub.com/axios/axios/pull/3763))
- Fixing quadratic runtime and extra memory usage when setting a maxContentLength ([#3738](https://togithub.com/axios/axios/pull/3738))
- Adding parseInt to config.timeout ([#3781](https://togithub.com/axios/axios/pull/3781))
- Adding custom return type support to interceptor ([#3783](https://togithub.com/axios/axios/pull/3783))
- Adding security fix for ReDoS vulnerability ([#3980](https://togithub.com/axios/axios/pull/3980))
Internal and Tests:
- Updating build dev dependancies ([#3401](https://togithub.com/axios/axios/pull/3401))
- Fixing builds running on Travis CI ([#3538](https://togithub.com/axios/axios/pull/3538))
- Updating follow rediect version ([#3694](https://togithub.com/axios/axios/pull/3694), [#3771](https://togithub.com/axios/axios/pull/3771))
- Updating karma sauce launcher to fix failing sauce tests ([#3712](https://togithub.com/axios/axios/pull/3712), [#3717](https://togithub.com/axios/axios/pull/3717))
- Updating content-type header for application/json to not contain charset field, according do RFC 8259 ([#2154](https://togithub.com/axios/axios/pull/2154))
- Fixing tests by bumping karma-sauce-launcher version ([#3813](https://togithub.com/axios/axios/pull/3813))
- Changing testing process from Travis CI to GitHub Actions ([#3938](https://togithub.com/axios/axios/pull/3938))
Documentation:
- Updating documentation around the use of `AUTH_TOKEN` with multiple domain endpoints ([#3539](https://togithub.com/axios/axios/pull/3539))
- Remove duplication of item in changelog ([#3523](https://togithub.com/axios/axios/pull/3523))
- Fixing gramatical errors ([#2642](https://togithub.com/axios/axios/pull/2642))
- Fixing spelling error ([#3567](https://togithub.com/axios/axios/pull/3567))
- Moving gitpod metion ([#2637](https://togithub.com/axios/axios/pull/2637))
- Adding new axios documentation website link ([#3681](https://togithub.com/axios/axios/pull/3681), [#3707](https://togithub.com/axios/axios/pull/3707))
- Updating documentation around dispatching requests ([#3772](https://togithub.com/axios/axios/pull/3772))
- Adding documentation for the type guard isAxiosError ([#3767](https://togithub.com/axios/axios/pull/3767))
- Adding explanation of cancel token ([#3803](https://togithub.com/axios/axios/pull/3803))
- Updating CI status badge ([#3953](https://togithub.com/axios/axios/pull/3953))
- Fixing errors with JSON documentation ([#3936](https://togithub.com/axios/axios/pull/3936))
- Fixing README typo under Request Config ([#3825](https://togithub.com/axios/axios/pull/3825))
- Adding axios-multi-api to the ecosystem file ([#3817](https://togithub.com/axios/axios/pull/3817))
- Adding SECURITY.md to properly disclose security vulnerabilities ([#3981](https://togithub.com/axios/axios/pull/3981))
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
- [Jay](mailto:jasonsaayman@gmail.com)
- [Sasha Korotkov](https://togithub.com/SashaKoro)
- [Daniel Lopretto](https://togithub.com/timemachine3030)
- [Mike Bishop](https://togithub.com/MikeBishop)
- [Dmitriy Mozgovoy](https://togithub.com/DigitalBrainJS)
- [Mark](https://togithub.com/bimbiltu)
- [Philipe Gouveia Paixão](https://togithub.com/piiih)
- [hippo](https://togithub.com/hippo2cat)
- [ready-research](https://togithub.com/ready-research)
- [Xianming Zhong](https://togithub.com/chinesedfan)
- [Christopher Chrapka](https://togithub.com/OJezu)
- [Brian Anglin](https://togithub.com/anglinb)
- [Kohta Ito](https://togithub.com/koh110)
- [Ali Clark](https://togithub.com/aliclark)
- [caikan](https://togithub.com/caikan)
- [Elina Gorshkova](https://togithub.com/elinagorshkova)
- [Ryota Ikezawa](https://togithub.com/paveg)
- [Nisar Hassan Naqvi](https://togithub.com/nisarhassan12)
- [Jake](https://togithub.com/codemaster138)
- [TagawaHirotaka](https://togithub.com/wafuwafu13)
- [Johannes Jarbratt](https://togithub.com/johachi)
- [Mo Sattler](https://togithub.com/MoSattler)
- [Sam Carlton](https://togithub.com/ThatGuySam)
- [Matt Czapliński](https://togithub.com/MattCCC)
- [Ziding Zhang](https://togithub.com/zidingz)
### [`v0.21.1`](https://togithub.com/axios/axios/blob/master/CHANGELOG.md#0211-December-21-2020)
[Compare Source](https://togithub.com/axios/axios/compare/v0.21.0...v0.21.1)
Fixes and Functionality:
- Hotfix: Prevent SSRF ([#3410](https://togithub.com/axios/axios/pull/3410))
- Protocol not parsed when setting proxy config from env vars ([#3070](https://togithub.com/axios/axios/pull/3070))
- Updating axios in types to be lower case ([#2797](https://togithub.com/axios/axios/pull/2797))
- Adding a type guard for `AxiosError` ([#2949](https://togithub.com/axios/axios/pull/2949))
Internal and Tests:
- Remove the skipping of the `socket` http test ([#3364](https://togithub.com/axios/axios/pull/3364))
- Use different socket for Win32 test ([#3375](https://togithub.com/axios/axios/pull/3375))
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
- Daniel Lopretto
- Jason Kwok
- Jay
- Jonathan Foster
- Remco Haszing
- Xianming Zhong
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR contains the following updates:
0.21.0->0.21.2GitHub Vulnerability Alerts
CVE-2020-28168
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
CVE-2021-3749
axios is vulnerable to Inefficient Regular Expression Complexity
Release Notes
axios/axios
### [`v0.21.2`](https://togithub.com/axios/axios/blob/master/CHANGELOG.md#0212-September-4-2021) [Compare Source](https://togithub.com/axios/axios/compare/v0.21.1...v0.21.2) Fixes and Functionality: - Updating axios requests to be delayed by pre-emptive promise creation ([#2702](https://togithub.com/axios/axios/pull/2702)) - Adding "synchronous" and "runWhen" options to interceptors api ([#2702](https://togithub.com/axios/axios/pull/2702)) - Updating of transformResponse ([#3377](https://togithub.com/axios/axios/pull/3377)) - Adding ability to omit User-Agent header ([#3703](https://togithub.com/axios/axios/pull/3703)) - Adding multiple JSON improvements ([#3688](https://togithub.com/axios/axios/pull/3688), [#3763](https://togithub.com/axios/axios/pull/3763)) - Fixing quadratic runtime and extra memory usage when setting a maxContentLength ([#3738](https://togithub.com/axios/axios/pull/3738)) - Adding parseInt to config.timeout ([#3781](https://togithub.com/axios/axios/pull/3781)) - Adding custom return type support to interceptor ([#3783](https://togithub.com/axios/axios/pull/3783)) - Adding security fix for ReDoS vulnerability ([#3980](https://togithub.com/axios/axios/pull/3980)) Internal and Tests: - Updating build dev dependancies ([#3401](https://togithub.com/axios/axios/pull/3401)) - Fixing builds running on Travis CI ([#3538](https://togithub.com/axios/axios/pull/3538)) - Updating follow rediect version ([#3694](https://togithub.com/axios/axios/pull/3694), [#3771](https://togithub.com/axios/axios/pull/3771)) - Updating karma sauce launcher to fix failing sauce tests ([#3712](https://togithub.com/axios/axios/pull/3712), [#3717](https://togithub.com/axios/axios/pull/3717)) - Updating content-type header for application/json to not contain charset field, according do RFC 8259 ([#2154](https://togithub.com/axios/axios/pull/2154)) - Fixing tests by bumping karma-sauce-launcher version ([#3813](https://togithub.com/axios/axios/pull/3813)) - Changing testing process from Travis CI to GitHub Actions ([#3938](https://togithub.com/axios/axios/pull/3938)) Documentation: - Updating documentation around the use of `AUTH_TOKEN` with multiple domain endpoints ([#3539](https://togithub.com/axios/axios/pull/3539)) - Remove duplication of item in changelog ([#3523](https://togithub.com/axios/axios/pull/3523)) - Fixing gramatical errors ([#2642](https://togithub.com/axios/axios/pull/2642)) - Fixing spelling error ([#3567](https://togithub.com/axios/axios/pull/3567)) - Moving gitpod metion ([#2637](https://togithub.com/axios/axios/pull/2637)) - Adding new axios documentation website link ([#3681](https://togithub.com/axios/axios/pull/3681), [#3707](https://togithub.com/axios/axios/pull/3707)) - Updating documentation around dispatching requests ([#3772](https://togithub.com/axios/axios/pull/3772)) - Adding documentation for the type guard isAxiosError ([#3767](https://togithub.com/axios/axios/pull/3767)) - Adding explanation of cancel token ([#3803](https://togithub.com/axios/axios/pull/3803)) - Updating CI status badge ([#3953](https://togithub.com/axios/axios/pull/3953)) - Fixing errors with JSON documentation ([#3936](https://togithub.com/axios/axios/pull/3936)) - Fixing README typo under Request Config ([#3825](https://togithub.com/axios/axios/pull/3825)) - Adding axios-multi-api to the ecosystem file ([#3817](https://togithub.com/axios/axios/pull/3817)) - Adding SECURITY.md to properly disclose security vulnerabilities ([#3981](https://togithub.com/axios/axios/pull/3981)) Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub: - [Jay](mailto:jasonsaayman@gmail.com) - [Sasha Korotkov](https://togithub.com/SashaKoro) - [Daniel Lopretto](https://togithub.com/timemachine3030) - [Mike Bishop](https://togithub.com/MikeBishop) - [Dmitriy Mozgovoy](https://togithub.com/DigitalBrainJS) - [Mark](https://togithub.com/bimbiltu) - [Philipe Gouveia Paixão](https://togithub.com/piiih) - [hippo](https://togithub.com/hippo2cat) - [ready-research](https://togithub.com/ready-research) - [Xianming Zhong](https://togithub.com/chinesedfan) - [Christopher Chrapka](https://togithub.com/OJezu) - [Brian Anglin](https://togithub.com/anglinb) - [Kohta Ito](https://togithub.com/koh110) - [Ali Clark](https://togithub.com/aliclark) - [caikan](https://togithub.com/caikan) - [Elina Gorshkova](https://togithub.com/elinagorshkova) - [Ryota Ikezawa](https://togithub.com/paveg) - [Nisar Hassan Naqvi](https://togithub.com/nisarhassan12) - [Jake](https://togithub.com/codemaster138) - [TagawaHirotaka](https://togithub.com/wafuwafu13) - [Johannes Jarbratt](https://togithub.com/johachi) - [Mo Sattler](https://togithub.com/MoSattler) - [Sam Carlton](https://togithub.com/ThatGuySam) - [Matt Czapliński](https://togithub.com/MattCCC) - [Ziding Zhang](https://togithub.com/zidingz) ### [`v0.21.1`](https://togithub.com/axios/axios/blob/master/CHANGELOG.md#0211-December-21-2020) [Compare Source](https://togithub.com/axios/axios/compare/v0.21.0...v0.21.1) Fixes and Functionality: - Hotfix: Prevent SSRF ([#3410](https://togithub.com/axios/axios/pull/3410)) - Protocol not parsed when setting proxy config from env vars ([#3070](https://togithub.com/axios/axios/pull/3070)) - Updating axios in types to be lower case ([#2797](https://togithub.com/axios/axios/pull/2797)) - Adding a type guard for `AxiosError` ([#2949](https://togithub.com/axios/axios/pull/2949)) Internal and Tests: - Remove the skipping of the `socket` http test ([#3364](https://togithub.com/axios/axios/pull/3364)) - Use different socket for Win32 test ([#3375](https://togithub.com/axios/axios/pull/3375)) Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub: - Daniel LoprettoConfiguration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.