Update axios to latest version

[Tjerk-Haaye-Henricus]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

axios version of js client is 0.21.4 newest version is 1.5.0

Reproducing the bug

Install the client look in package json

Relevant log output

No response

Relevant configuration

No response

Version

1.1.51

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[thesocialdev]

What's the status of this issue?

[aeneasr]

We will need to update the generator to address this

[beanow-at-crabnebula]

Axios 0.x now has a CVE: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx Affecting the TS Ory client.

[aeneasr]

We just release ory/client v1.4.0 which uses the newest generator, hopefully resolving this issue!

[aeneasr]

It looks like the new generator still uses 0.x of Axios :/

https://github.com/ory/sdk/blob/0edad58697355b565962b6d8ebc9349fb7533a0c/clients/client/typescript/package.json#L27

[aeneasr]

Seems like there is work to upgrade axios, but it will take a few weeks before that's being released: https://github.com/OpenAPITools/openapi-generator/commit/a460b7ea8783dce3b86ca8e1f8212204f856ae19

[beanow-at-crabnebula]

Weeks? :sweat_smile: I'm not familiar with their release policy, and it looks like they rolled their own version management. How feasible would it be to run with a commit ref instead of a release?

[beanow-at-crabnebula]

Coming back to this one, looks like the generator update is released: https://github.com/OpenAPITools/openapi-generator/releases/tag/v7.2.0

Typescript @ory/client is still affected though: https://github.com/ory/sdk/blob/master/clients/client/typescript/package.json#L27

https://www.npmjs.com/package/@ory/client/v/1.4.8?activeTab=code

Even though we just updated to the latest generator? https://github.com/ory/sdk/pull/315

Perhaps need to trigger a build.

[aeneasr]

Perhaps need to trigger a build.

Correct!

[aeneasr]

Release was triggered yesterday

[Tjerk-Haaye-Henricus]

Awesome 😎 Thanks a lot

[beanow-at-crabnebula]

Looking into that, it seems that hasn't resolved the axios version issue though :cry:

https://www.npmjs.com/package/@ory/client/v/1.5.1?activeTab=code https://github.com/ory/sdk/blob/ba317155622461527a6365ea4bfc0bf9b4c71111/clients/client/typescript/package.json#L27

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Axios Cross-Site Request Forgery Vulnerability         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ axios                                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.8.1 <1.6.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.6.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ [...] > @ory/client@1.5.1 >                            │
│                     │ axios@0.27.2                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-wf5p-g6vw-rhxx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
1 vulnerabilities found
Severity: 1 moderate

[BatuhanW]

I think this issue needs to be re-opened. cc @aeneasr

[aeneasr]

1.5.2 is out with axios in 1.6+

[aeneasr]

https://www.npmjs.com/package/@ory/client/v/1.5.2?activeTab=code