Depends on vulnerable version of axios

[mtl1979]

Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/tronweb/node_modules/axios
  tronweb  *
  Depends on vulnerable versions of axios
  node_modules/tronweb

[svein1010]

Thanks a lot! We will update the axios soon.

[Ponnar-Evvo]

@mtl1979 @svein1010. Issue is resolve?. Still we got same error.

[mtl1979]

@mtl1979 @svein1010. Issue is resolve?. Still we got same error.

I don't see a new release with the fix included yet...

[start940315]

updated in TronWeb v6.0.0-beta.0. Welcome to try.

[mtl1979]

It's quite obvious some developers refuse to use TypeScript as it will make the existing JavaScript code less readable and require substantial rewrite, thus the code needs to be thoroughly retested on testnet. Same happened when web3js switched to TypeScript in 4.x series...

Callback functions are essential in asynchronous programs that depend on proper sequential order of executing methods. There is no guarantee that promises are executed in sequential order. This for example can cause nonces of transaction being out of order or program getting same nonce over and over, causing sending transactions to fail if too many transactions (sometimes just more than one) are unconfirmed concurrently.

[start940315]

It's quite obvious some developers refuse to use TypeScript as it will make the existing JavaScript code less readable and require substantial rewrite, thus the code needs to be thoroughly retested on testnet. Same happened when web3js switched to TypeScript in 4.x series...

Callback functions are essential in asynchronous programs that depend on proper sequential order of executing methods. There is no guarantee that promises are executed in sequential order. This for example can cause nonces of transaction being out of order or program getting same nonce over and over, causing sending transactions to fail if too many transactions (sometimes just more than one) are unconfirmed concurrently.

Please accept that typescript is so popular now. And we are going to pay more attention on it. Though you may see TronWeb v5.3.2 in the future and it may fix the problem, you can still try to rewrite you code and take advantage of promise and typescript.

[mtl1979]

Please accept that typescript is so popular now. And we are going to pay more attention on it. Though you may see TronWeb v5.3.2 in the future and it may fix the problem, you can still try to rewrite you code and take advantage of promise and typescript.

Forcing people to rewrite production code is not even an option. Canonical tried to force people to move from Ubuntu 18.04 to more recent versions and ended up breaking so many applications that some companies still refuse to upgrade their production servers to more recent versions. Even for Ubuntu 18.04 to work correctly, people had to downgrade gcc to 6.5, because gcc 7.5 couldn't even run on their machines.

[start940315]

I figure out what you mean. Please wait for TronWeb v5.3.2. It will solve the problem.