JavaScript SDK: Axios Security Vulnerability

Boggs_Daniel · November 10, 2023, 2:54pm

As of purecloud-platform-client-v2 version 181.0.0, I see the following npm security vulnerability report:

> npm audit
# npm audit report
axios  0.8.1 - 1.5.1
Severity: Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Will install purecloud-platform-client-v2@137.0.1, which is a breaking change
node_modules/purecloud-platform-client-v2/node_modules/axios
  purecloud-platform-client-v2  >=137.1.0
  Depends on vulnerable versions of axios
  node_modules/purecloud-platform-client-v2
2 To address all issues (including breaking changes), run:
  npm audit fix --force
moderate
fix available via `npm audit fix --force`
moderate severity vulnerabilities
Process terminated with code 1.

See Axios Cross-Site Request Forgery Vulnerability · CVE-2023-45857 · GitHub Advisory Database · GitHub.

tim.smith · November 10, 2023, 3:36pm

@Boggs_Daniel the fix for this is in process and should be released soon. As a workaround for now, I believe you should be able to simply force install the updated axios version in your project using the suggested command above, or manually like npm i axios@1.6.1 --force, or however your environment manages packages. I've updated a few other projects I use that were using axios (not with the SDK) and there weren't any changes to its API.

Declan_ginty · November 14, 2023, 11:43am

Hi @Boggs_Daniel

A new version of the javascript sdk has been released, 182.0.0 with the latest version of axios.

Regards,
Declan

system · December 15, 2023, 11:44am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.