Skip to content

Bump axios to 1.8.2 to fix high severity vulnerability #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sbone merged 1 commit into from
Mar 13, 2025
Merged

Bump axios to 1.8.2 to fix high severity vulnerability #51

sbone merged 1 commit into from
Mar 13, 2025

Conversation

@aksafan
Copy link
Contributor

@aksafan aksafan commented Mar 12, 2025

Summary

There is a high severity vulnerability in axios library in all versions < 1.8.2.

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463

Action

This PR bumps axios version from 1.7.7 to 1.8.2 to fix that vulnerability.

Tests

All tests passed:
image

Changelog

Sourced from axios's changelog.

1.8.2 (2025-03-07)

Bug Fixes

  • http-adapter: add allowAbsoluteUrls to path building (#6810) (fb8eec2)

1.8.1 (2025-02-26)

Bug Fixes

  • utils: move generateString to platform utils to avoid importing crypto module into client builds; (#6789) (36a5a62)

1.8.0 (2025-02-25)

Bug Fixes

  • examples: application crashed when navigating examples in browser (#5938) (1260ded)
  • missing word in SUPPORT_QUESTION.yml (#6757) (1f890b1)
  • utils: replace getRandomValues with crypto module (#6788) (23a25af)

Features

Reverts

  • Revert "chore: expose fromDataToStream to be consumable (#6731)" (#6732) (1317261), closes #6731 #6732

BREAKING CHANGES

  • code relying on the above will now combine the URLs instead of prefer request URL

  • feat: add config option for allowing absolute URLs

  • fix: add default value for allowAbsoluteUrls in buildFullPath

  • fix: typo in flow control when setting allowAbsoluteUrls

1.7.9 (2024-12-04)

Reverts

  • Revert "fix(types): export CJS types from ESM (#6218)" (#6729) (c44d2f2), closes #6218 #6729

1.7.8 (2024-11-25)

Bug Fixes

  • allow passing a callback as paramsSerializer to buildURL (#6680) (eac4619)
  • core: fixed config merging bug (#6668) (5d99fe4)
  • fixed width form to not shrink after 'Send Request' button is clicked (#6644) (7ccd5fd)
  • http: add support for File objects as payload in http adapter (#6588) (#6605) (6841d8d)
  • http: fixed proxy-from-env module import (#5222) (12b3295)
  • http: use globalThis.TextEncoder when available (#6634) (df956d1)
  • ios11 breaks when build (#6608) (7638952)
  • types: add missing types for mergeConfig function (#6590) (00de614)
  • types: export CJS types from ESM (#6218) (c71811b)
  • updated stream aborted error message to be more clear (#6615) (cc3217a)
  • use URL API instead of DOM to fix a potential vulnerability warning; (#6714) (0a8d6e1)

@aksafan aksafan mentioned this pull request Mar 12, 2025
Closed
@sbone sbone self-requested a review March 13, 2025 18:25
sbone
sbone approved these changes Mar 13, 2025
View reviewed changes
Copy link
Contributor

@sbone sbone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @aksafan! We'll get this merged in and release a new version of drip-nodejs shortly after.

@sbone sbone merged commit f2d5151 into DripEmail:main Mar 13, 2025
@aksafan
Copy link
Contributor Author

aksafan commented Mar 13, 2025

Thanks, @aksafan! We'll get this merged in and release a new version of drip-nodejs shortly after.

Thank you @sbone! Appreciate that!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sbone sbone sbone approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aksafan @sbone