Axios security issue CVE-2023-45857

[vekunz]

Several days ago, a security risk in Axois was published https://avd.aquasec.com/nvd/2023/cve-2023-45857/. This project currently uses a very old version of Axios, which needs to be updated at least to v1.6.0.

[AmsterGet]

Hi @vekunz ! Thanks for highlighting this. You can refer comments in our PR that addressed this issue. Briefly we cannot bump axios version to the latest right now as it will broke reporters that are working in Node.js 10 environment. Yes, we know that it is an outdated version of the engine, but our statistics says that it is still used among our users with ~7k launches per month. Therefore this update should be done in the next major version of the client that will drop support of Node.js 10. For now we follow a principle to have a correlation between agent/client and Report Portal API Service versions, so we need some time to discuss this approach internally to change it or find another solution.

[vekunz]

Hi, do you have a timeline, when the next major release is planned? Or can you estimate the impact of the CVE for this package? We are in an enterprise environment and such vulnerabilities are a problem. We have to handle them somehow (either fix them or "ignore" them with a very very good explanation) otherwise, our build pipelines will automatically fail after some time (to force us to fix the vulnerability).

[AmsterGet]

Hi @vekunz ! I need time to determine whether the vulnerability may affect users of our packages or not. I'll update you here in a few days. If you're not running a Node.js 10 environment, you may be able to update the patched version of Axios yourself if you typically do a clean install of packages based on a lock file. This is a temporary solution until we resolve the security issue on our end. Thanks.

[AmsterGet]

Hi @vekunz ! Fixed in the 5.1.0;