When retire scans the .js file for dependencies, it mistake a comment in the file for dependencies. The comment is:
// Axios v0.17 mutates the url to include the baseURL for non hostnames
// but does not remove the baseURL from the config
retire mistake the comment as having axios dependency with version 0.17. In reality, we are using the latest axios version 1.6.x. axios version 0.17 has a 2 CVEs associated with it and causing retire and dependency-checker to produce false positive.
eoftedal
commented
2 months ago
Retire.js version: (
retire --version):5.0.0-beta.1
node version: (
node --version):v21.7.1
Description:
When
retirescans the.jsfile for dependencies, it mistake a comment in the file for dependencies. The comment is:retiremistake the comment as havingaxiosdependency with version0.17. In reality, we are using the latestaxiosversion1.6.x.axiosversion0.17has a 2 CVEs associated with it and causingretireand dependency-checker to produce false positive.Ref: https://github.com/ctimmerm/axios-mock-adapter/blob/4492f3c3b02c3e7054553b4f3190101b3d5b6a95/src/handle_request.js#L37
Expected behaviour:
retireshould not recognizeaxiosversion0.17from the comment and do not produce the false positive.If this is a false positive or false negative: This is a false positive.
How did you run the tool? Command line? Browser extension? Verified both with
dependency-checkerfrom OWASP andretire CLI.Can you provide a link to the file(s) containing the libraries?
https://github.com/ctimmerm/axios-mock-adapter/blob/4492f3c3b02c3e7054553b4f3190101b3d5b6a95/src/handle_request.js#L37