bug: axios dependency includes a high npm audit vulnerability

[bradbotcode]

Node.js version

20.11

NPM version

10.2.4

@checkly/cli version

4.5.2

Steps to reproduce

Hi, Checkly team!

Running npm install in projects with checkly is showing a high vulnerability related to the axios dependency.

• details: CVE-2024-39338

Good news is, the axios vulnerability was recently fixed (as of today Aug 13, 2024) and the patch is now available in v1.7.4

For more context, here is the audit report output after running npm audit on projects with checkly:

# npm audit report

axios  1.3.2 - 1.7.3
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix --force`
Will install checkly@4.0.12, which is a breaking change
node_modules/checkly/node_modules/axios
  checkly  <=0.0.0-pr.944.98770dd || >=4.0.13-prerelease
  Depends on vulnerable versions of axios
  node_modules/checkly

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

What is expected?

Expected for the axios dependency version to match the patched version that resolves the aforementioned vulnerability.

Overriding the axios dependency version in the package-lock.json ( "node_modules/checkly/node_modules/axios") appeases npm audit but it would be preferred to have this fixed in the checkly package itself.

What is actually happening?

The axios dependency version is not the patched version.

Any additional comments?

No response

[maxigimenez]

Thanks @bradbotcode for reporting this, it will be solved by https://github.com/checkly/checkly-cli/pull/958