Closed AbhishekRatnawat closed 3 months ago
@AbhishekRatnawat solved and released in v14.3.0 , thanks for reporting the issue :)
@nvuillam still we can see vulnerability with 0.26.0 version-
{
"target": "Node.js",
"category": "lang-pkgs",
"type": "node-pkg",
"vulnerabilities": [
{
"vulnerability_id": "CVE-2023-45857",
"severity": "MEDIUM",
"pkg_name": "axios",
"pkg_path": "usr/local/lib/node_modules/npm-groovy-lint/node_modules/amplitude/node_modules/axios/package.json",
"installed_version": "0.26.1",
"fixed_version": "1.6.0, 0.28.0",
"cvss_v2_score": "",
"cvss_v3_score": "6.5",
"status_summary": {
"priority": "MEDIUM",
"status": "FAILED"
}
}
],
@AbhishekRatnawat amplitude has last publish 2 years ago so does not seem maintained
That's ok coz anyway i've not checked anonymous telemetry for more than that, so I can remove it from the dependencies :)
@AbhishekRatnawat released in v14.4.0 :)
We found that in latest npm-groovy-lint package, there are critical vulnerabilities with axios package. It is still using older axios version-
Please help us by resolving these.