Axios version bump required (vulnerability detected)

mollie / mollie-api-node

Official Mollie API client for Node

http://www.mollie.com

BSD 3-Clause "New" or "Revised" License

238 stars 63 forks source link

Axios version bump required (vulnerability detected) #198

Closed opensoars closed 3 years ago

opensoars commented 3 years ago

When running npm audit after installing mollie-api-node (npm install @mollie/api-client --save), a vulnerability is detected.

High │ Server-Side Request Forgery Package │ axios Patched in │ >=0.21.1 Dependency of │ @mollie/api-client Path │ @mollie/api-client > axios More info │ https://npmjs.com/advisories/1594

Pimm commented 3 years ago

Hi, thanks for opening this issue. As was previously discussed in #187, the security issue in axios is not one which realistically affects Mollie merchants.

We do plan on releasing a new version of this library next week, which will depend on a newer version of axios.

Of course you could force the dependency to be resolved to a later version in your setup, or use the current master branch of this library, if you really wanted to. However, from a security perspective this is not necessary.

Pimm commented 3 years ago

The latest version of the library uses a newer axios. If anyone is still concerned about this, upgrade to 3.5.0+.