Bump axios to 1.6.0 (CVE-2023-45857)

typesense / typesense-js

JavaScript / TypeScript client for Typesense

https://typesense.org/docs/api

Apache License 2.0

393 stars 74 forks source link

Bump axios to 1.6.0 (CVE-2023-45857) #180

Closed andrewjwu closed 9 months ago

andrewjwu commented 9 months ago

Description

CSRF vulnerability affecting axios versions < 1.6.0.

typesense-js currently depends on "axios": "^0.26.0".

Steps to reproduce

https://github.com/axios/axios/issues/6022 https://github.com/axios/axios/issues/6006 https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Expected Behavior

Upgrade axios to version 1.6.0 or higher.

jasonbosco commented 9 months ago

Based on the steps to reproduce in https://github.com/axios/axios/issues/6006 this CVE only seems to affect cases where withCredentials: true is used in axios, which we do not use in typesense-js.

In any case, we'll plan a round of dependency upgrades separately.

jasonbosco commented 9 months ago

This is now available in 1.8.0-0.