CodeceptJS depends on vulnerable package `axios@1.7.2` - Githubissues

codeceptjs / CodeceptJS

Supercharged End 2 End Testing Framework for NodeJS

http://codecept.io

MIT License

4.11k stars 724 forks source link

CodeceptJS depends on vulnerable package `axios@1.7.2` #4481

Closed mhassan1 closed 1 month ago

mhassan1 commented 1 month ago

What are you trying to achieve?

I am trying to resolve npm audit warnings in my project that uses CodeceptJS.

What do you get instead?

$ npm audit
# npm audit report

axios  1.3.2 - 1.7.3
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix --force`
Will install codeceptjs@3.5.4, which is a breaking change
node_modules/axios
  codeceptjs  3.5.1-2.beta.7 || >=3.5.5
  Depends on vulnerable versions of axios
  node_modules/codeceptjs

See https://github.com/advisories/GHSA-8hc4-vh64-cxmj.

Details

CodeceptJS version: 3.6.5
NodeJS Version: 20.12.2
Operating System: OS X
puppeteer || webdriverio || testcafe version (if related): N/A
Configuration file: N/A

kobenguyent commented 1 month ago

would be resolved by this once new version is released https://github.com/codeceptjs/CodeceptJS/pull/4482