Vulnerabilities in axios and sharp Dependencies – Requires Update or Alternatives

[G-O-T-W]

Description:
The project currently relies on outdated versions of axios and sharp, both of which have known vulnerabilities. Despite running npm audit fix, these issues persist due to limitations in dependency compatibility.

1. Axios Cross-Site Request Forgery Vulnerability:

   • Package: axios (version 0.8.1 - 0.27.2)
   • Severity: Moderate
   • Advisory: GHSA-wf5p-g6vw-rhxx
   • Description: A CSRF vulnerability in Axios could allow attackers to trick users into performing actions they didn't intend to. Unfortunately, there's no fix available for the current versions in use.

2. Sharp Vulnerability in libwebp:

   • Package: sharp (versions <0.32.6)
   • Severity: High
   • Advisory: CVE-2023-4863
   • Description: This vulnerability impacts the libwebp dependency, which sharp uses internally. It could potentially allow remote code execution if exploited.

Current Impact:

• Running npm audit continues to flag these vulnerabilities without automatic fixes.
• Attempting to manually update sharp to a fixed version results in conflicts with existing dependencies, specifically @zen-browser/surfer which seems to lock these vulnerable versions.
• No automatic fix available for the axios vulnerability at this time.

Proposed Solutions:

1. For axios: Investigate alternatives like node-fetch or got, or consider removing the dependency if possible. A long-term fix should involve upgrading axios once a patch is available.

2. For sharp: Upgrade to the latest version (>=0.32.6) to patch the libwebp vulnerability. This may require modifying @zen-browser/surfer or resolving dependency conflicts.

Steps to Reproduce:

1. Run npm audit or npm audit fix.
2. Observe that vulnerabilities in axios and sharp are flagged, but no complete fix is available.

Please advise on whether there are any plans to:

• Upgrade these dependencies.
• Implement alternative libraries to replace vulnerable packages.

Thank you!