Update Axios - Githubissues

ibmdb / node-ibm_db

IBM DB2 and IBM Informix bindings for node

MIT License

188 stars 151 forks source link

Update Axios #965

Closed huineng closed 7 months ago

huineng commented 7 months ago

Could you please update axios to a newer version .. eg 1.6.1 the version you have as dependency 1.5.0 is vulnerable

ID              SEVERITY  DESCRIPTION
CVE-2023-45857  high      An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies
                           by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers
                           to view sensitive information.

thanks

bimalkjha commented 7 months ago

@huineng It is already fixed by PR #964 and will be available as part of next release. We are trying to release a new version of ibm_db with updated axios in 2-3 days. Thanks.