infinitered / apisauce

Axios + standardized errors + request/response transforms.
MIT License
2.8k stars 184 forks source link

Vulnerability introduced by package follow-redirects #302

Open ankush-gaba-bluejeans opened 1 year ago

ankush-gaba-bluejeans commented 1 year ago

Hi, @skellock @rdewolff , there is a vulnerability introduced in your package apisauce:

ISSUE DESCRIPTION:

A vulnerability CVE-2022-0536 is introduced in apisauce package through the dependency axios which is 0.21.4 using the follow-redirects package 1.14.0 which actually has this vulnerability. So this vulnerability was patched in the version 1.14.9 of follow-redirects

SUGGESTED SOLUTION:

Need to upgrade the version of axios in apisauce to atleast 0.27.2 as axios 0.27.2 is using the 1.14.9 version of follow-redirects so that the vulnerability is fixed in it

Thanks for your contributions

Regards, Ankush Gaba

pgodha commented 1 year ago

@ankush-gaba-bluejeans Can you please create PR for it in this project?