This repository was archived by the owner on Aug 29, 2023. It is now read-only.
This repository was archived by the owner on Aug 29, 2023. It is now read-only.
NPM audit shows security problem in dependency "axios" #54
Description
Hi guys,
so this is my package.json:
{
"name": "tplinkkasa",
"version": "1.0.0",
"description": "",
"main": "server.js",
"dependencies": {
"tplink-cloud-api": "^0.8.1",
"express": "^4.17.1",
"body-parser": "^1.19.0"
},
"devDependencies": {},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1",
"start": "node server.js"
},
"author": "CY",
"license": "ISC"
}
I'm using the current version 0.8.1 of tplink-cloud-api.
Further information:
$ node -v
v14.18.2
$ npm -v
8.3.0
Running npm audit shows me a warning because of 2 high severity vulnerabilities:
$ npm audit
# npm audit report
axios <=0.21.1
Severity: high
Incorrect Comparison in axios - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Server-Side Request Forgery in Axios - https://github.com/advisories/GHSA-4w2v-q235-vp99
fix available via `npm audit fix --force`
Will install tplink-cloud-api@0.1.4, which is a breaking change
node_modules/axios
tplink-cloud-api >=0.2.0
Depends on vulnerable versions of axios
node_modules/tplink-cloud-api
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Obviously I won't run npm audit fix --force because I don't want to downgrade tplink-cloud-api to 0.1.4.
- You currently use:
"axios": "^0.18.1"Line 51 in 0143634
- Looking at Incorrect Comparison in axios - GHSA-cph5-m8f7-6c5x:
- Affected versions:
<= 0.21.1 - Patched versions:
0.21.2
- Affected versions:
- Looking at Server-Side Request Forgery in Axios - GHSA-4w2v-q235-vp99:
- Affected versions:
< 0.21.1 - Patched versions:
0.21.1
- Affected versions:
- Therefore you should use at least Axios
0.21.2
Can you fix that, please?