[BUG] axios version lesser than 1.6.0 has Cross-Site Request Forgery vulnerability

[dutta-arnab1]

⚠️ Important Notice

Please differentiate the bug

---

🐛 Bug Report:

Describe the bug

axios version lesser than 1.6.0 has Cross-Site Request Forgery vulnerability. This package currently has dependency on @nestjs/axios v0.1.0 which references axios v0.27.0.

Steps to Reproduce

Check axios vulnerability.
GHSA-wf5p-g6vw-rhxx

Expected behavior

The vulnerability should be resolved by upgrading axios to version >1.6.0.

Screenshots

Operation System (please complete the following information):

• OS: Windows
• Version 10

Package System (please complete the following information):

• Version 2.7.0 (latest)

Additional context

[wvanderdeijl]

The upgrade to axios v1.6.0 (the first version with the fixed vulnerability) was incorporated in nestjs/axios in version 3.0.1: https://github.com/nestjs/axios/releases/tag/3.0.1 through PR nestjs/axios@4cdd3f0
I am not sure how much work it would be for openapi-generator-cli to jump from nestjs/axios 0.1.0 to 3.0.1

[wvanderdeijl]

Same issue as #715

[dutta-arnab1]

Hi @wvanderdeijl, do you have plans to make this upgrade and release a version? This is a vulnerability of moderate severity and we would like to have it fixed sooner than later.

[alexan]

there is already a PR updating nestjs/axios to 2.0.0 #704

[dutta-arnab1]

Thanks @alexan for the update. Would it address the mentioned axios vulnerability? I can see there are fixed axios dependency on versions <1.6.0 in both this repo and @nestjs/axios repo.

[wvanderdeijl]

AFAIK upgrading to 2.0.0 is not enough and we need nestjs/axios 3.0.1 to get the fix. I tried to make a PR, but can't even run yarn install on Apple Sillicon running macOS 14.1. It fails trying to run node-gyp to compile fsevents. I do not have access to an intel machine.

[alexan]

@kay-schecker what is missing for this to be adressed?

[sergecpelletier]

Do we have an ETA as to when this will be fixed?

[dmccoy-NL]

Any idea when this will be addressed?

[dutta-arnab1]

Any update on the release date?

[wing328]

please help test #722

the CI tests still failed, which is the last remaining issue to address.

if anyone has time to contribute a fix, please kindly reply to the PR

[dutta-arnab1]

Hi @wing328 , @axtx4869, I just had a look at the PR and it seems a node upgrade is required as well. A quick fix would be to update the node-version from 17.x to 18.x in the build.yaml file. However a more robust fix would be to fix all the node version inconsistencies across the project.

I can see the project now have a mixture of different node versions.

• Node 12 - through nrwl/nx
• Node 16 - through @types/node and e2e environment in build.yaml
• Node 17 - build environment in build.yaml

A quick and less impactful fix would be to upgrade the node version of both build and e2e environments in the build.yaml to node 18.