Closed jayvdb closed 8 months ago
Describe the bug package.json says "axios": "^0.27.2"
"axios": "^0.27.2"
This triggers https://osv.dev/vulnerability/GHSA-wf5p-g6vw-rhxx
Minimal reproduction Install https://github.com/google/osv-scanner Run it
openapi-zod-client> osv-scanner --lockfile pnpm-lock.yaml Scanned /home/jayvdb/ts/openapi-zod-client/pnpm-lock.yaml file and found 973 packages ╭─────────────────────────────────────┬──────┬───────────┬──────────────────────┬─────────┬────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├─────────────────────────────────────┼──────┼───────────┼──────────────────────┼─────────┼────────────────┤ │ https://osv.dev/GHSA-p2fh-2h23-6grg │ 5.4 │ npm │ @antfu/utils │ 0.5.2 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-67hx-6x53-jw92 │ 9.3 │ npm │ @babel/traverse │ 7.20.1 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-67hx-6x53-jw92 │ 9.3 │ npm │ @babel/traverse │ 7.22.8 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-wf5p-g6vw-rhxx │ 6.5 │ npm │ axios │ 0.27.2 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-wf5p-g6vw-rhxx │ 6.5 │ npm │ axios │ 1.4.0 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-4q6p-r6v2-jvc5 │ 7.5 │ npm │ get-func-name │ 2.0.0 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-ww39-953v-wcq6 │ 7.5 │ npm │ glob-parent │ 2.0.0 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-pfrx-2q88-qq97 │ 5.3 │ npm │ got │ 9.6.0 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-rc47-6667-2j5j │ 7.5 │ npm │ http-cache-semantics │ 4.1.0 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-9c47-m6qq-7p4h │ 7.1 │ npm │ json5 │ 1.0.1 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-9c47-m6qq-7p4h │ 7.1 │ npm │ json5 │ 2.2.1 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-7fh5-64p2-3v2j │ 5.3 │ npm │ postcss │ 8.4.19 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-c2qf-rxjj-qqgw │ 5.3 │ npm │ semver │ 5.7.1 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-c2qf-rxjj-qqgw │ 5.3 │ npm │ semver │ 6.3.0 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-c2qf-rxjj-qqgw │ 5.3 │ npm │ semver │ 7.3.8 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-5r9g-qh6m-jxff │ 4.6 │ npm │ undici │ 5.12.0 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-r6ch-mqf9-qc9w │ 7.5 │ npm │ undici │ 5.12.0 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-wqq4-5wpv-mx2g │ 3.9 │ npm │ undici │ 5.12.0 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-j8xg-fqg3-53r7 │ 5.3 │ npm │ word-wrap │ 1.2.3 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-f9xv-q969-pqx4 │ 7.5 │ npm │ yaml │ 2.1.3 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-m95q-7qp3-xv42 │ │ npm │ zod │ 3.19.1 │ pnpm-lock.yaml │ │ https://osv.dev/GHSA-m95q-7qp3-xv42 │ │ npm │ zod │ 3.20.0 │ pnpm-lock.yaml │ ╰─────────────────────────────────────┴──────┴───────────┴──────────────────────┴─────────┴────────────────╯
Expected behavior The list of CVEs should be 0 , but a lot of them are likely to be devDeps. But axios is not a dev-dep - it is propagated to anyone using openapi-zod-client
Additional context
Describe the bug package.json says
"axios": "^0.27.2"This triggers https://osv.dev/vulnerability/GHSA-wf5p-g6vw-rhxx
Minimal reproduction Install https://github.com/google/osv-scanner Run it
Expected behavior The list of CVEs should be 0 , but a lot of them are likely to be devDeps. But axios is not a dev-dep - it is propagated to anyone using openapi-zod-client
Additional context