security vulnerability in axios SNYK-JS-AXIOS-6032459

[mishabruml]

Bug description

https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Looks like it's not fixed at the moment in axios but I suppose it will be soon.

As an aside, the current version 0.21.4 used in this package is around 2 years old, is there any reason it couldn't be updated to the latest version 1.5.1? It would mean a major version change, there doesn't seem to be official breaking changes guide, there are some community ones though - see axios/axios#4996

Describe what you expected

No response

Steps to reproduce the issue

No response

Additional context

No response

Command

None

[mishabruml]

looks like axios are on it axios/axios#6022

[Drarig29]

Hi @mishabruml! We've had issues bumping axios in the past, because its move to ESM was not working properly with our standalone binary. Also, the latest fix that was published by axios seems to be a breaking change: axios/axios#6028 (comment)

From the maintainer of axios:

I felt that this was not an actual CVE in all honesty as the implementor has control over this and if they decide to set the flag to true they should have understood what that meant.

This is only a vulnerability when withCredentials is set to true, which isn't our case.

[tobiasweibel]

I can see the ESM issues and don't really like to fix such issues in projects of my company.
BUT: As my company runs security scanners it will assert the axios issue and we basically have to address it somehow.

[psinglet]

This is now causing failures on all scans that use datadog plugins, when can we expect a fix for this?

[Drarig29]

Hi, just a heads up: we are working on it, a PR is being reviewed.

[mishabruml]

@Drarig29 thanks for this, could you re-open the issue until this is released? 😄

[Drarig29]

@mishabruml you can now use v2.23.1