search

perry-mitchell / webdav-client

WebDAV client written in Typescript for NodeJS and the browser
MIT License
661 stars 143 forks source link

Audit issue in version 4.11.3 #383

Closed pit999 closed 3 weeks ago

pit999 commented 1 month ago

axios 0.8.1 - 0.27.2 Severity: moderate Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx fix available via npm audit fix --force Will install webdav@5.7.1, which is a breaking change node_modules/webdav/node_modules/axios webdav 2.0.0-rc1 - 4.11.3 Depends on vulnerable versions of axios node_modules/webdav

perry-mitchell commented 1 month ago

Hi! I'd recommend upgrading to the latest webdav as it's better to use fetch where available.

I'd accept a PR to update axios in v4 but don't have the bandwidth to do that myself right now.

pit999 commented 1 month ago

I have the same problem as in issue #374. Using ESM Module I get the same error. Using feathers framework. I will check with the feathers developers how to solve that. Version 4 works fine :-) I read that you will deliver security updates for version 4, so I thought that's safe to use version 4.

perry-mitchell commented 1 month ago

I'll release a security patch for v4 once this PR drops.

Seems it's out - I'll try to get this resolved today.

jusfeel commented 1 month ago

Still on 4. Is it possible to patch up 4 please?

perry-mitchell commented 1 month ago

The update is taking longer than expected as I have to update to the new major version of axios, from 0->1, which is hardly a patch..

I'll try to get it out today.

perry-mitchell commented 3 weeks ago

I'm not sure that upgrading Axios for v4 will be possible, as it's a major update and the update has breaking changes (node support). Please see my PR: #386

perry-mitchell commented 3 weeks ago

I updated deps and fixed what vulnerabilities were possible. Axios' moderate level vulnerability is less than ideal but it's the best that they're providing for v0, and due to that, I can't fix it on this side. If they release a patch for v0, which I doubt they will, I'll update it here.

jusfeel commented 3 weeks ago

Understood. Any chance to add common JS support on 5.

perry-mitchell commented 3 weeks ago

Yeah CJS will make a comeback. It's just a bit of work as I'm not sure that Webpack is capable of it - CJS/ESM across the browser and node builds. Changing to rollup would work but that's a larger change. Let's see..