High vulnerability - Denial of Service

nuxt-community / axios-module

Secure and easy axios integration for Nuxt 2

https://axios.nuxtjs.org

MIT License

1.19k stars 245 forks source link

High vulnerability - Denial of Service #366

Closed artmarydotir closed 4 years ago

artmarydotir commented 4 years ago

npm audit security report for axios module

version: 5.10.3 path: @nuxtjs/axios > @nuxtjs/proxy > http-proxy-middleware > http-proxy

Screenshot from 2020-05-17 07-15-26

pi0 commented 4 years ago

Hi @artmarydotir thanks for reporting :green_heart: I'm going to update both proxy and axios modules however according to the advisory#1486, it is not effective on the way we use middleware:

This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Update: Also locally tried and it is not stopping server.

kreig303 commented 4 years ago

understood if this does not directly impact the software. however some of us are using vulnerability scanning software in company repos and this still gets flagged as a HIGH... which is a problem for us because... build systems.

any chance you could accelerate a release for this dep?

willing to PR the dep bump into the repo if desired @pi0 thx! :)

pi0 commented 4 years ago

v5.11.0 released with @nuxtjs/proxy@2

kreig303 commented 4 years ago

¡gracias señor!