Axios outdated. Please bump.

[nl-brett-stime]

Getting a security ding because of our dependence on jfrog-client-js:

[attiasas]

Hi @nl-brett-stime, thank you for bringing this matter to our attention.

• Axios version >= 1.x has a bug in the proxy that’s currently blocking our upgrade. You can find more details here: AxiosError: write EPROTO 1C3B0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:c:\ws\deps\openssl\openssl\ssl\record\ssl3_record.c:355: axios/axios#4840.

• CVE-2023-45857 isn’t applicable in jfrog-client-js because it involves an XSRF token leaking into headers only when using a web browser. Our client doesn’t handle web browser requests, only REST APIs. The mitigation of CVE-2023-45857 kicks in only when isStandardBrowserEnv is true.

Once Axios resolves the proxy issue, i.e., after one of the following occurrences:

Merging of axios/axios#6091 into v0
Resolution of axios/axios#4840 in v1

we'll proceed with the upgrade to the "fixed version".

[DanieloDelgado]

Hi @attiasas , axios v0.28.0 was released last week. This version includes axios/axios#6091. You can proceed with releasing a new version with the fix for CVE-2023-45857

[jvillanuevabt]

Is there any update/ETA on this being resolved?

[asafcjfrog]

@jvillanuevabt As mentioned above by @attiasas , the CVE is not applicable. So, this is considered a low priority. Please let me know if you have any concerns.

[jvillanuevabt]

@jvillanuevabt As mentioned above by @attiasas , the CVE is not applicable. So, this is considered a low priority. Please let me know if you have any concerns.

I understand, my only concern is leaving a known vulnerable dependency unpatched indefinitely given it is considered good practice to update dependencies whenever possible. Of course there is no rush but I was hoping for an ETA on when that update will happen.