search

alphagov / govuk-prototype-kit

Rapidly create HTML prototypes of GOV.UK services
https://prototype-kit.service.gov.uk
MIT License
303 stars 236 forks source link

Vulnerability in axios #2383

Closed cjfryer closed 6 months ago

cjfryer commented 9 months ago

A cross-site request forgery vulnerability exists in axios < 1.6.0. The Prototype Kit requires axios@0.21.4 via a transitive dependency on localtunnel@2.0.2, which is itself a dependency of browser-sync@2.29.3

└─┬ govuk-prototype-kit@13.15.3
  └─┬ browser-sync@2.29.3
    └─┬ localtunnel@2.0.2
      └── axios@0.21.4

The vulnerability has been reported on the localtunnel GitHub repo, but the last commit on localtunnel was August 2022, so I'm not convinced this will be addressed in a timely manner.

timothyPatterson commented 8 months ago

Browser-sync has now been updated (>=3.0) so that installation of localtunnel is the responsibility of the user see commit. A patched version of local tunnel has been created here. For context on browsersync/local tunnel see here.

colinrotherham commented 6 months ago

Closed by https://github.com/alphagov/govuk-prototype-kit/pull/2394