Component Governance fails due to axios@0.20.0

[jonthysell]

CVE-2020-28168

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a
proxy by providing a URL that responds with a redirect to a restricted host or IP address.

yarn why axios
yarn why v1.22.5
[1/4] Why do we have the module "axios"...?
[2/4] Initialising dependency graph...
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.2"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.2.0"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^5.0.0"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.2"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.2"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.2"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^4.0.0"
warning Resolution field "kind-of@6.0.3" is incompatible with requested version "kind-of@^3.0.3"
warning Resolution field "appium-android-driver@4.12.0-stub.0" is incompatible with requested version "appium-android-driver@^4.0.0"
warning Resolution field "appium-selendroid-driver@1.13.4-stub.0" is incompatible with requested version "appium-selendroid-driver@1.x"
warning Resolution field "appium-android-driver@4.12.0-stub.0" is incompatible with requested version "appium-android-driver@^4.12.0"
warning Resolution field "appium-android-driver@4.12.0-stub.0" is incompatible with requested version "appium-android-driver@^4.10.0"
warning Resolution field "appium-android-driver@4.12.0-stub.0" is incompatible with requested version "appium-android-driver@^4.0.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "axios@0.20.0"
info Reasons this module exists
   - "_project_#appium-base-driver#appium-support" depends on it
   - Hoisted from "_project_#appium-base-driver#appium-support#axios"
info Disk size without dependencies: "476KB"
info Disk size with unique dependencies: "520KB"
info Disk size with transitive dependencies: "520KB"
info Number of shared dependencies: 1
Done in 1.17s.

[jonthysell]

As per axios/axios#3410, fix set to be released in axios@0.21.1.

[TheOccho]

@jonthysell is there an ETA on when axios@0.21.1 will be released?

[jonthysell]

It looks like appium-support updated to axios@0.21.1 in their master (appium/appium-support#211), but have not pushed a release requiring it. I'll put in a resolution.