Closed cjfryer closed 6 months ago
Browser-sync has now been updated (>=3.0) so that installation of localtunnel is the responsibility of the user see commit. A patched version of local tunnel has been created here. For context on browsersync/local tunnel see here.
A cross-site request forgery vulnerability exists in axios < 1.6.0. The Prototype Kit requires axios@0.21.4 via a transitive dependency on localtunnel@2.0.2, which is itself a dependency of browser-sync@2.29.3
The vulnerability has been reported on the localtunnel GitHub repo, but the last commit on localtunnel was August 2022, so I'm not convinced this will be addressed in a timely manner.