[Snyk] Security upgrade axios from 0.21.1 to 1.6.3

yurikrupnik commented 10 months ago

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![medium severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/m.png "medium severity") | **658/1000**
**Why?** Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-AXIOS-6124857](https://snyk.io/vuln/SNYK-JS-AXIOS-6124857) | Yes | Proof of Concept (*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 250 commits.

b15b918 chore(release): v1.6.3 (#6151)
b76cce0 chore(ci): added branches filter for notify action; (#6084)
5e7ad38 fix: Regular Expression Denial of Service (ReDoS) (#6132)
8befb86 docs: update alloy link (#6145)
d18f40d docs: add headline sponsors
b3be365 chore(release): v1.6.2 (#6082)
8739acb chore(ci): removed redundant release action; (#6081)
bfa9c30 chore(docs): fix outdated grunt to npm scripts (#6073)
a2b0fb3 chore(docs): update README.md (#6048)
b12a608 chore(ci): removed paths-ignore filter; (#6080)
0c9d886 chore(ci): reworked ignoring files logic; (#6079)
30873ee chore(ci): add paths-ignore config to testing action; (#6078)
cff9967 feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; (#6046)
7009715 chore(ci): fixed release notification action; (#6064)
7144f10 chore(ci): fixed release notification action; (#6063)
f6d2cf9 chore(ci): fix publish action content permission; (#6061)
a22f4b9 chore(release): v1.6.1 (#6060)
cb8bb2b chore(ci): Publish to NPM with provenance (#5835)
37cbf92 chore(ci): added labeling and notification for published PRs; (#6059)
dd465ab fix(formdata): fixed content-type header normalization for non-standard browser environments; (#6056)
3dc8369 fix(platform): fixed emulated browser detection in node.js environment; (#6055)
f7adacd chore(release): v1.6.0 (#6031)
9917e67 chore(ci): fix release-it arg; (#6032)
96ee232 fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/yurikrupnik/project/ae10a455-7de4-4d41-a094-a456ab64f193?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/yurikrupnik/project/ae10a455-7de4-4d41-a094-a456ab64f193?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"fc5837a3-1a7e-484a-8749-150eef0d9894","prPublicId":"fc5837a3-1a7e-484a-8749-150eef0d9894","dependencies":[{"name":"axios","from":"0.21.1","to":"1.6.3"}],"packageManager":"npm","projectPublicId":"ae10a455-7de4-4d41-a094-a456ab64f193","projectUrl":"https://app.snyk.io/org/yurikrupnik/project/ae10a455-7de4-4d41-a094-a456ab64f193?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-AXIOS-6124857"],"upgrade":["SNYK-JS-AXIOS-6124857"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","priorityScore"],"priorityScoreList":[658],"remediationStrategy":"vuln"}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Regular Expression Denial of Service (ReDoS)](https://learn.snyk.io/lesson/redos/?loc=fix-pr)

secure-code-warrior-for-github[bot] commented 10 months ago

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Cross-site request forgery (Detected by phrase)

Matched on "CSRF"

What is this? (2min video)

Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page.

Try a challenge in Secure Code Warrior

Helpful references

Securing Rails Applications - Cross-Site Request Forgery (CSRF) - A Rails Guide that describes common security problems in web applications and how to avoid them with Rails.
Spring Security - Cross Site Request Forgery (CSRF) - A Spring Security article that describes Spring support for protecting against Cross Site Request Forgery attacks.
csurf Node.js CSRF protection middleware - Documentation on CSRF protection provided by the csurf middleware for Express.
XSRF/CSRF Prevention in ASP.NET MVC and Web Pages - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC and Web Pages.
Django Documentation - Cross Site Request Forgery protection - Documentation on CSRF protection provided by the Django framework.
OWASP Cross-Site Request Forgery Prevention Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing cross-site request forgery flaws in your applications.
Laravel Docs - CSRF Protection - Documentation on CSRF protection provided by the Laravel framework.
OWASP Cross Site Request Forgery (CSRF) - OWASP community page with comprehensive information about cross-site request forgery, and links to various OWASP resources to help detect or prevent it.
Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET MVC Application - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service