Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3f842e0
commit c9aca75
Showing
9 changed files
with
32 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
module.exports = { | ||
"version": "0.25.0" | ||
"version": "0.26.0" | ||
}; |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
c9aca75
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whoever wrote this CVE entry, it is totally wrong. It does not mention the vulnerable dependency (
follow-redirects
) or cookies at all.Can someone please update the CVE entry to reflect that it is about cookies from redirects and generally in another dependency and not in axios itself?
Please try to understand how SemVer ranges and selectors work. Any project which consumes axios will automatically get the latest version of
follow-redirects
.https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
https://nvd.nist.gov/vuln/detail/CVE-2022-1214
@jasonsaayman @JamieSlome
c9aca75
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DanielRuf - I think the best course of action here is to revoke the CVE given that the issue stems from a dependency, rather than the package itself. To the side of this, we will run an internal review to make sure that vulnerabilities of dependencies are not treated as vulnerabilities against a root project.
@jasonsaayman - before I proceed with this, I do want your input here as you are best placed to understand the issue.
EDIT: just on looking at the commit deeper, it doesn't make sense for a CVE to be assigned here, so will revoke it now 👍
c9aca75
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JamieSlome @DanielRuf Ok cool I agree, in addition most redirect issues where a CVE is raised is almost 99% a follow redirects issue and should rather be raised over there :) thanks for the help
c9aca75
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DanielRuf @jasonsaayman: this has now been revoked and updated on the report page accordingly 👍
c9aca75
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DanielRuf If I understand correctly, the vulnerability is not an issue explicitly with Axios, but rather with the follow-redirects dependency that is called by Axios. If that is the case, is there a separate CVE or vulnerability attached to a follow-directs version?
c9aca75
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly, since the change is only in the lockfile.
See these links:
c5bdbd4 (commit / changes)
v0.25.0...v0.26.0 (changes between .25 and .26)
follow-redirects/follow-redirects@8b347cb (relevant change in follow-redirects)
follow-redirects/follow-redirects#183 (relevant issue)
https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/ (report)
https://nvd.nist.gov/vuln/detail/CVE-2022-0155 (CVE entry, CVE-2022-0155 - also links to GHSA-74fj-2j2h-c42q - mentioned / linked in previous links)
Does this answer your question @robert-molecula?