When retire scans the .js file for dependencies, it mistake a comment in the file for dependencies. The comment is:
// Axios v0.17 mutates the url to include the baseURL for non hostnames
// but does not remove the baseURL from the config
retire mistake the comment as having axios dependency with version 0.17. In reality, we are using the latest axios version 1.6.x. axios version 0.17 has a 2 CVEs associated with it and causing retire and dependency-checker to produce false positive.
Retire.js version: (
retire --version
):5.0.0-beta.1
node version: (
node --version
):v21.7.1
Description:
When
retire
scans the.js
file for dependencies, it mistake a comment in the file for dependencies. The comment is:retire
mistake the comment as havingaxios
dependency with version0.17
. In reality, we are using the latestaxios
version1.6.x
.axios
version0.17
has a 2 CVEs associated with it and causingretire
and dependency-checker to produce false positive.Ref: https://github.com/ctimmerm/axios-mock-adapter/blob/4492f3c3b02c3e7054553b4f3190101b3d5b6a95/src/handle_request.js#L37
Expected behaviour:
retire
should not recognizeaxios
version0.17
from the comment and do not produce the false positive.If this is a false positive or false negative: This is a false positive.
How did you run the tool? Command line? Browser extension? Verified both with
dependency-checker
from OWASP andretire CLI
.Can you provide a link to the file(s) containing the libraries?
https://github.com/ctimmerm/axios-mock-adapter/blob/4492f3c3b02c3e7054553b4f3190101b3d5b6a95/src/handle_request.js#L37