search

sofn-xyz / mailing

Build, test, send emails with React
https://www.mailing.run
MIT License
3.6k stars 74 forks source link

Bump posthog-node to fix vulnerability #497

Open dharmadeveloper108 opened 2 months ago

dharmadeveloper108 commented 2 months ago

Context

The current version of posthog-node uses an older version of Axios (0.27.0). An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Fix

This PR bumps posthog-node to the latest version so that it uses an axios version that is not susceptible to the vulnerability.

changeset-bot[bot] commented 2 months ago

⚠️ No Changeset found

Latest commit: 680bb89af0db1b6950e08c1e40662e0f31047d1a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

vercel[bot] commented 2 months ago

@dharmadeveloper108 is attempting to deploy a commit to the sofn Team on Vercel.

A member of the Team first needs to authorize it.

socket-security[bot] commented 2 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/array.prototype.flat@1.3.0 None +3 54.4 kB ljharb
npm/bluebird@3.7.2 environment, eval, unsafe 0 632 kB esailija
npm/check-more-types@2.24.0 None 0 63.8 kB bahmutov
npm/es-abstract@1.20.4 None +11 1.62 MB ljharb
npm/is-core-module@2.10.0 None +2 55.2 kB ljharb
npm/lazy-ass@1.6.0 None 0 19.4 kB bahmutov
npm/make-error@1.3.6 None 0 12.4 kB julien-f
npm/typescript@5.4.5 None 0 32.4 MB typescript-bot

🚮 Removed packages: npm/@types/cookie@0.4.1, npm/@types/json5@0.0.29, npm/abbrev@1.1.1, npm/accepts@1.3.8, npm/assert-plus@1.0.0, npm/ast-types-flow@0.0.7, npm/axe-core@4.4.3, npm/axios@0.21.4, npm/axobject-query@2.2.0, npm/base64-js@1.5.1, npm/base64id@2.0.0, npm/console-control-strings@1.1.0, npm/core-util-is@1.0.2, npm/damerau-levenshtein@1.0.8, npm/depd@1.1.2, npm/detective@5.2.1, npm/extend@3.0.2, npm/extsprintf@1.3.0, npm/fresh@0.5.2, npm/has-bigints@1.0.2, npm/ieee754@1.2.1, npm/object-assign@4.1.1, npm/postcss-value-parser@4.2.0, npm/safe-buffer@5.2.1, npm/tweetnacl@0.14.5, npm/util-deprecate@1.0.2

View full report↗︎