Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in axios #2383

Closed
cjfryer opened this issue Nov 28, 2023 · 2 comments · Fixed by #2394
Closed

Vulnerability in axios #2383

cjfryer opened this issue Nov 28, 2023 · 2 comments · Fixed by #2394
Assignees
@colinrotherham
Milestone
v13.16.1

Comments

@cjfryer
Copy link
Member

cjfryer commented Nov 28, 2023

A cross-site request forgery vulnerability exists in axios < 1.6.0. The Prototype Kit requires axios@0.21.4 via a transitive dependency on localtunnel@2.0.2, which is itself a dependency of browser-sync@2.29.3

└─┬ govuk-prototype-kit@13.15.3
  └─┬ browser-sync@2.29.3
    └─┬ localtunnel@2.0.2
      └── axios@0.21.4

The vulnerability has been reported on the localtunnel GitHub repo, but the last commit on localtunnel was August 2022, so I'm not convinced this will be addressed in a timely manner.
@timothyPatterson
Copy link

Browser-sync has now been updated (>=3.0) so that installation of localtunnel is the responsibility of the user see commit. A patched version of local tunnel has been created here.
For context on browsersync/local tunnel see here.

@colinrotherham colinrotherham mentioned this issue Feb 21, 2024
Merged
@colinrotherham colinrotherham self-assigned this Feb 21, 2024
@colinrotherham
Copy link
Contributor

Closed by #2394

@36degrees 36degrees added this to the [next] milestone Feb 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@colinrotherham colinrotherham

Labels
None yet
Projects
GOV.UK Design System cycle board
Archived in project
Milestone
v13.16.1
Development

Successfully merging a pull request may close this issue.

Update Browsersync to resolve axios vulnerability alphagov/govuk-prototype-kit
4 participants
@36degrees @colinrotherham @timothyPatterson @cjfryer