NPM audit shows security problem in dependency "axios"

[cyril23]

Hi guys,

so this is my package.json:

{
  "name": "tplinkkasa",
  "version": "1.0.0",
  "description": "",
  "main": "server.js",
  "dependencies": {
    "tplink-cloud-api": "^0.8.1",
    "express": "^4.17.1",
    "body-parser": "^1.19.0"
  },
  "devDependencies": {},
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "start": "node server.js"
  },
  "author": "CY",
  "license": "ISC"
}

I'm using the current version 0.8.1 of tplink-cloud-api.
Further information:

$ node -v
v14.18.2
$ npm -v
8.3.0

Running npm audit shows me a warning because of 2 high severity vulnerabilities:

$ npm audit
# npm audit report

axios  <=0.21.1
Severity: high
Incorrect Comparison in axios - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Server-Side Request Forgery in Axios - https://github.com/advisories/GHSA-4w2v-q235-vp99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
  tplink-cloud-api  >=0.2.0
  Depends on vulnerable versions of axios
  node_modules/tplink-cloud-api

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Obviously I won't run npm audit fix --force because I don't want to downgrade tplink-cloud-api to 0.1.4.

• You currently use: "axios": "^0.18.1"

  tplink-cloud-api/package.json

  Line 51 in 0143634

  "axios": "^0.18.1",

• Looking at Incorrect Comparison in axios - GHSA-cph5-m8f7-6c5x:
  • Affected versions: <= 0.21.1
  • Patched versions: 0.21.2
• Looking at Server-Side Request Forgery in Axios - GHSA-4w2v-q235-vp99:
  • Affected versions: < 0.21.1
  • Patched versions: 0.21.1
• Therefore you should use at least Axios 0.21.2

Can you fix that, please?

[epfromer]

I too ran into this problem today while exploring this useful library. I lifted the login and switch code and was able to get things working directly in my app using native fetch(). @adumont if you are interested, I could look into replacing axios for fetch in a PR.

[adumont]

Hi, sure I would welcome that happily. Unfortunately I don't have time now to maintain this repo but if people send me PR I'll try to merge them and publish the npm when I get the time. Thanks in advance. El sáb., 18 dic. 2021 2:32, Ed Pfromer ***@***.***> escribió:

…

I too ran into this problem today while exploring this useful library. I lifted the login and switch code and was able to get things working directly in my app using native fetch(). @adumont <https://github.com/adumont> if you are interested, I could look into replacing axios for fetch in a PR. — Reply to this email directly, view it on GitHub <#54 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACRLWR44SCL5ILHZPRNSPDURPQCFANCNFSM5KEFIRZA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[epfromer]

#55 #

I updated all packages and stuck with axios since this repo doesn't necessarily work within DOM and have access to DOM fetch(). I also added an example app which I used to test the library. All original tests pass.