GetStream
Outdated Axios has vulnerability
Hi @clarkenciel, thanks for reporting this issue.
Until we upgrade axios to the newest version, can you try upgrading it on your side? All package managers should support this syntax: npm up axios.
- https://docs.npmjs.com/cli/v11/commands/npm-update
- https://classic.yarnpkg.com/lang/en/docs/cli/upgrade/
@oliverlaz We have upgraded our direct dependency on axios. In fact, we're on the latest version. Unfortunately, getstream-js is on a very old version axios:
❯ jq '.dependencies.axios' package.json
"1"
❯ jq '.dependencies.axios' node_modules/getstream/package.json
"0.x"
It's implied by the docs you linked since these two version ranges are incompatible two versions of axios will be installed:
Then npm update will install [email protected] because that is the highest version that dep2 allows. npm will prioritize having a single version of dep1 in your tree rather than two when that single version can satisfy the semver requirements of multiple dependencies in your tree.
As far as I can tell this is really something your team have to resolve.
hi @clarkenciel, you should be able to upgrade the transitive dependencies too. From what I saw in the report, the Axios fix was backported to the v0.x.x branch.
If the above-mentioned commands didn't help, you can fall back to reinstalling the getstream package:
npm uninstall getstream
npm install getstream
In this case, the package manager should install the newest version satisfying the semver range. In our case:
-
[email protected]->[email protected](the vulnerability was fixed in 0.28.0)
And yes, our team will work on upgrading to axios@^1.8.4+ but at this moment we don't have an ETA when would that happen.