Update axios dependency to latest version

[KuSh]

Fixes CVE-2023-45857

[pcj]

@rastorc3v @KuSh What's preventing this PR from getting merged? This is causing all kinds of alarms to go off where I work:

Anything the community can do to help?

❯ npm audit
# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install durable-functions@1.1.2, which is a breaking change
node_modules/axios
  durable-functions  >=1.1.3
  Depends on vulnerable versions of axios
  node_modules/durable-functions

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[pcj]

Maybe needs approval from @ejizba or @hossam-nasr? Thx in advance.

[KuSh]

This is causing all kinds of alarms to go off where I work

This is exactly why I made a PR. I'm also waiting to be able to shut those alarms.
Unfortunatelly I'm a simple user and can't do much more

[ejizba]

Hi folks, thanks for the ping. We've discussed this internally but haven't posted here. The main blocker is that axios was upgraded across major versions without a discussion of the breaking changes. We plan to update axios, but not until after we fully analyze/test the impact of the breaking changes.

In addition, this vulnerability is a false positive for the durable package. There's a few reasons for this, but one reason is that this vulnerability only applies if using withCredentials set to true and that's never used in our code.

I do want to apologize for the delay on this. I understand how annoying these security alerts can be and I get that people often don't care if it's a false positive or not. If this was a minor or patch update we would've already done it, but because it's a major version update we have to be more careful. I'm skeptical this will be fixed this month around the holidays, but I'm optimistic we'll get it fixed early in the new year.

[pcj]

Thanks for the update @ejizba. Appreciate all your hard work on the project, hopefully your message will placate those whose job function involves risk management for these kinds of things.

[mmajcica]

Can we bump this to 1.6.5?

[davidmrdavid]

Apologies for the delay here. We'll look to correct this warning by our next release, which should happen in the next few weeks.

[castrodd]

I did not find any potential issues with this update. Everything seems to work as expected.

[davidmrdavid]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).