Axios Dependancy

[marxys]

Hello I saw that mollie-api-node run with an old version of Axios. Here is my npm audit logs :

Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/@mollie/api-client/node_modules/axios
  @mollie/api-client  <=3.7.0
  Depends on vulnerable versions of axios
  node_modules/@mollie/api-client

I solve the issue on my side installing this : npm install npm-force-resolutions --save-dev

Then add this on the package.json :

"resolutions": {
  "axios": "1.6.8"
}
"scripts": {
  // add to existing scripts
  "preinstall": "npx npm-force-resolutions"
}

Then npm run preinstall to upgrade.

[vdhpieter]

@maria-swierblewska @Pimm any timeline on solving this?

[n2k3]

Yeah, would like to see this updated as well.

As per advisory https://github.com/advisories/GHSA-wf5p-g6vw-rhxx, the minimum patched version would be 0.28.0

To patch this in your own repo for now (when using pnpm), add this to your package.json, and run pnpm i

  "pnpm": {
    "overrides": {
      "axios": "^0.28.0"
    }
  }

[Pimm]

Thanks for opening this issue.

The vulnerability in question can potentially reveal a secret stored in a cookie to untrusted servers. This client is not designed to run in a browser, so cookies are not a concern. Furthermore, the client connects to the Mollie server exclusively. The vulnerability therefore does not affect this client or its users, which is why no emergency release was made in response to it.

With that said, we plan to release a new version no later than next week.

If that is not soon enough, install the beta version:

npm install @mollie/api-client@beta