Open marxys opened 2 months ago
@maria-swierblewska @Pimm any timeline on solving this?
Yeah, would like to see this updated as well.
As per advisory https://github.com/advisories/GHSA-wf5p-g6vw-rhxx, the minimum patched version would be 0.28.0
To patch this in your own repo for now (when using pnpm
), add this to your package.json
, and run pnpm i
"pnpm": {
"overrides": {
"axios": "^0.28.0"
}
}
Thanks for opening this issue.
The vulnerability in question can potentially reveal a secret stored in a cookie to untrusted servers. This client is not designed to run in a browser, so cookies are not a concern. Furthermore, the client connects to the Mollie server exclusively. The vulnerability therefore does not affect this client or its users, which is why no emergency release was made in response to it.
With that said, we plan to release a new version no later than next week.
If that is not soon enough, install the beta version:
npm install @mollie/api-client@beta
Hello I saw that mollie-api-node run with an old version of Axios. Here is my npm audit logs :
I solve the issue on my side installing this :
npm install npm-force-resolutions --save-dev
Then add this on the package.json :
Then
npm run preinstall
to upgrade.