Closed Tjerk-Haaye-Henricus closed 10 months ago
What's the status of this issue?
We will need to update the generator to address this
Axios 0.x
now has a CVE: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Affecting the TS Ory client.
We just release ory/client v1.4.0 which uses the newest generator, hopefully resolving this issue!
It looks like the new generator still uses 0.x of Axios :/
Seems like there is work to upgrade axios, but it will take a few weeks before that's being released: https://github.com/OpenAPITools/openapi-generator/commit/a460b7ea8783dce3b86ca8e1f8212204f856ae19
Weeks? :sweat_smile: I'm not familiar with their release policy, and it looks like they rolled their own version management. How feasible would it be to run with a commit ref instead of a release?
Coming back to this one, looks like the generator update is released: https://github.com/OpenAPITools/openapi-generator/releases/tag/v7.2.0
Typescript @ory/client
is still affected though:
https://github.com/ory/sdk/blob/master/clients/client/typescript/package.json#L27
https://www.npmjs.com/package/@ory/client/v/1.4.8?activeTab=code
Even though we just updated to the latest generator? https://github.com/ory/sdk/pull/315
Perhaps need to trigger a build.
Perhaps need to trigger a build.
Correct!
Release was triggered yesterday
Awesome 😎 Thanks a lot
Looking into that, it seems that hasn't resolved the axios version issue though :cry:
https://www.npmjs.com/package/@ory/client/v/1.5.1?activeTab=code https://github.com/ory/sdk/blob/ba317155622461527a6365ea4bfc0bf9b4c71111/clients/client/typescript/package.json#L27
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate │ Axios Cross-Site Request Forgery Vulnerability │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ axios │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.8.1 <1.6.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=1.6.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ [...] > @ory/client@1.5.1 > │
│ │ axios@0.27.2 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-wf5p-g6vw-rhxx │
└─────────────────────┴────────────────────────────────────────────────────────┘
1 vulnerabilities found
Severity: 1 moderate
I think this issue needs to be re-opened. cc @aeneasr
1.5.2 is out with axios in 1.6+
Preflight checklist
Ory Network Project
No response
Describe the bug
axios version of js client is 0.21.4 newest version is 1.5.0
Reproducing the bug
Install the client look in package json
Relevant log output
No response
Relevant configuration
No response
Version
1.1.51
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response