search

watson-developer-cloud / node-sdk

:comet: Node.js library to access IBM Watson services.
https://www.npmjs.com/package/ibm-watson
Apache License 2.0
1.48k stars 669 forks source link

High vulnerabilities in Axios and Semver packages #1197

Closed EgleHelms closed 9 months ago

EgleHelms commented 1 year ago

ibm-watson@8.0.0

High vulnerabilities in: Vulnerability in axios@1.4.0: https://www.cve.org/CVERecord?id=CVE-2023-45857 Should be updated to axios@1.6.0

Vulnerability in semver@6.3.0: https://www.cve.org/CVERecord?id=CVE-2022-25883 Should be fixed in semver@5.7.2, @6.3.1, @7.5.2

levpachmanov commented 1 year ago

Hey @EgleHelms, We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an semver 6.3.0-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

apaparazzi0329 commented 9 months ago

ibm-watson@8.0.0 will pull in the latest version of the ibm-cloud-sdk-core, which makes the actual axios request, and currently uses axios@1.6.4. If there are future axios vulnerabilities you are concerned about it would be better to create an issue in the ibm-cloud-sdk-core repo: https://github.com/IBM/node-sdk-core