Open dharmadeveloper108 opened 2 months ago
Latest commit: 680bb89af0db1b6950e08c1e40662e0f31047d1a
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
@dharmadeveloper108 is attempting to deploy a commit to the sofn Team on Vercel.
A member of the Team first needs to authorize it.
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
Package | New capabilities | Transitives | Size | Publisher |
---|---|---|---|---|
npm/array.prototype.flat@1.3.0 | None | +3 |
54.4 kB | ljharb |
npm/bluebird@3.7.2 | environment, eval, unsafe | 0 |
632 kB | esailija |
npm/check-more-types@2.24.0 | None | 0 |
63.8 kB | bahmutov |
npm/es-abstract@1.20.4 | None | +11 |
1.62 MB | ljharb |
npm/is-core-module@2.10.0 | None | +2 |
55.2 kB | ljharb |
npm/lazy-ass@1.6.0 | None | 0 |
19.4 kB | bahmutov |
npm/make-error@1.3.6 | None | 0 |
12.4 kB | julien-f |
npm/typescript@5.4.5 | None | 0 |
32.4 MB | typescript-bot |
🚮 Removed packages: npm/@types/cookie@0.4.1, npm/@types/json5@0.0.29, npm/abbrev@1.1.1, npm/accepts@1.3.8, npm/assert-plus@1.0.0, npm/ast-types-flow@0.0.7, npm/axe-core@4.4.3, npm/axios@0.21.4, npm/axobject-query@2.2.0, npm/base64-js@1.5.1, npm/base64id@2.0.0, npm/console-control-strings@1.1.0, npm/core-util-is@1.0.2, npm/damerau-levenshtein@1.0.8, npm/depd@1.1.2, npm/detective@5.2.1, npm/extend@3.0.2, npm/extsprintf@1.3.0, npm/fresh@0.5.2, npm/has-bigints@1.0.2, npm/ieee754@1.2.1, npm/object-assign@4.1.1, npm/postcss-value-parser@4.2.0, npm/safe-buffer@5.2.1, npm/tweetnacl@0.14.5, npm/util-deprecate@1.0.2
Context
The current version of
posthog-node
uses an older version of Axios (0.27.0). An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.Fix
This PR bumps
posthog-node
to the latest version so that it uses anaxios
version that is not susceptible to the vulnerability.