I'm submitting a ...
[x] bug report
[ ] feature request
[ ] question about the decisions made in the repository
[ ] question about how to use this project
For users that eg depend on figma-js in a monorepo, this prevents an update to a version of axios that is not vulnerable to CVE-2020-28168.
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. StackOverflow, personal fork, etc.)
Hopefully, relaxing the dependency range (perhaps with >=) would be safe for this project. A quick skim of recent axios release notes suggests that there are no breaking/material changes between 0.19 and 0.21.
I'm submitting a ... [x] bug report [ ] feature request [ ] question about the decisions made in the repository [ ] question about how to use this project
Summary
The following CVE is patched in 0.21.1 of axios:
https://github.com/advisories/GHSA-4w2v-q235-vp99
package.jsonuses a caret range to define figma-js' dependency on axios:https://github.com/jongold/figma-js/blob/3fbe4f390f7d67a2d4c6742cd46bed871fde23cb/package.json#L56-L58
The caret allows any updates as long as they do not modify the left-most non-zero digit:
https://docs.npmjs.com/cli/v6/using-npm/semver#caret-ranges-123-025-004
For users that eg depend on figma-js in a monorepo, this prevents an update to a version of axios that is not vulnerable to CVE-2020-28168.
Hopefully, relaxing the dependency range (perhaps with
>=) would be safe for this project. A quick skim of recent axios release notes suggests that there are no breaking/material changes between 0.19 and 0.21.https://github.com/axios/axios/releases