bryanhuhta
commented
6 months ago After more research, there are two problems with simply bumping the axios version to address this CVE:
- v1
axioschanges its module export from CJS modules to ESM - This library may not even be impacted by this CVE
For 1, upgrading to axios v1 causes our Jest test to break, which can be fixed, but this signals we may be breaking users of the library. We should proceed with caution here.
For 2, CVE-2023-45857 has reproduction steps which include:
const instance = axios.create({
withCredentials: true,
});This library doesn't use the withCredentials: true option and thereby may not actually be susceptible to this vulnerability.
simonswine
Fixes CVE-2023-45857. I also removed the "compatible with" operator to avoid blindly accepting more upstream changes that might break us.