Update Axios for OSS packages (@ory/kratos-client, @ory/keto-client, etc.) - Githubissues

ory / sdk

The place where ORY's SDKs are being auto-generated

Apache License 2.0

135 stars 85 forks source link

Update Axios for OSS packages (@ory/kratos-client, @ory/keto-client, etc.) #324

Closed beanow-at-crabnebula closed 4 months ago

beanow-at-crabnebula commented 5 months ago

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

The security vulnerability fixed by upgrading axios (see #289) also applies to the clients targeting the stable open source releases.

Reproducing the bug

See https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

Relevant log output

No response

Relevant configuration

No response

Version

Kratos v1.0.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

It probably warrants a patch release for each of the respective clients.

beanow-at-crabnebula commented 4 months ago

There's a fix available now: v1.1.0 regenerated with the fixed axios. https://www.npmjs.com/package/@ory/kratos-client/v/1.1.0?activeTab=code