-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2023-45857] Axios Cross-Site Request Forgery Vulnerability in transitive dependency #1440
Comments
Yes, thank you for bringing this up, we use that dependency in our callback function mixins. Any chance you have bandwidth to try to open a PR for such an upgrade? |
Hey @patricknick @mikhailshilkov, If relevant, check out our GitHub repo if you wish to learn more, or start using our app. Please feel free to reach us at [email protected] if you have any requests/questions. |
@mikhailshilkov I looked briefly into the required upgrade steps to However, the new package is constructed a bit differently from the old one, meaning, not all options that Pulumi uses (for example |
What happened?
Github currently reports a vulnerability for Axios on the versions
>= 0.8.1, < 1.6.0
. Axios is used inadal-node
, a transitive dependency ofazure/ms-rest-nodeauth
, which again is used bypulumi/azure
.When investigating the dependency chain, I noticed that
adal-node
is no longer maintained.azure/ms-rest-nodeauth
is also not longer actively developed and is not planning to removedadal-node
. See Azure/ms-rest-nodeauth#128. Instead, they suggest to migrate to@azure/identity
.This is blocking us from addressing the initial Axios security warning. Do you have plans to migrate away from
azure/ms-rest-nodeauth
?Example
N/A
Output of
pulumi about
N/A
Additional context
Affects
@pulumi/azure
v5.55.0Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: