Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Current management SDK release has high priority vulnerability with Axios #85

Closed
kevin-mitchell opened this issue Apr 26, 2021 · 3 comments
Closed

Current management SDK release has high priority vulnerability with Axios #85

kevin-mitchell opened this issue Apr 26, 2021 · 3 comments
Assignees
@easen-amp

Comments

@kevin-mitchell
Copy link
Contributor

Description

When installing dc-management-sdk-js via npm install, there is a high severity vulnerability reported.

Steps to Reproduce

There are of course many ways to do this, but from "scratch":

mkdir example
cd example/
npm init --yes
npm install dc-management-sdk-js --save

(You can also see there are even more vulnerabilities reported if you clone the actual repo:

git clone git@github.com:amplience/dc-management-sdk-js.git
cd dc-management-sdk-js
npm install

)

Expected Results

Install dependencies without any reported high severity vulnerabilities

Actual Results

npm WARN deprecated axios@0.18.1: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN example@1.0.0 No description
npm WARN example@1.0.0 No repository field.

+ dc-management-sdk-js@1.10.0
added 7 packages from 9 contributors and audited 7 packages in 0.868s

1 package is looking for funding
  run `npm fund` for details

found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Affected browsers/environments

I believe anything using this package.

Versions

"dependencies": {
    "dc-management-sdk-js": "^1.10.0"
  }

Other information

I would like to be able to use the management SDK in a project but because of policies around high priority vulnerabilities in NPM dependencies this is a lot more difficult.
@easen-amp
Copy link
Member

Hi @kevin-mitchell,

Reading the upstream issue (axios/axios#3369) I don’t believe we are impacted, this vulnerability is related to the Axios proxy feature, our SDK doesn't allow you to specify a proxy.

Are you able to supply a code example that demonstrates that we are directly impacted by this issue?

Regarding #29, any change to our SDK needs to be approved by our internal QA team before it can be released, so even though our unit tests pass, etc. it still requires an QA approval.

I cannot give any estimates to when this will be done at the current time.

@kevin-mitchell
Copy link
Contributor Author

kevin-mitchell commented Apr 27, 2021
edited

Hey @easen-amp thanks a bunch for the info!

So re: the Axios issue actually being relevant or not, I haven't checked and don't know (I would believe you that it is not!). The problem we're running into is that the greater "ecosystem" that we deploy into has various static code analysis tools / security checks and policies. These might happen at build or deploy time, and very likely done by a different team who doesn't have the capability to read through code to see if something is actually a vulnerability.

So hopefully that makes sense - it's more of a tooling issue, and it's not always something an individual developer / team can say "oh it's not actually an issue."

@easen-amp easen-amp self-assigned this May 7, 2021
@easen-amp
Copy link
Member

Released #87 v1.11.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@easen-amp easen-amp

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kevin-mitchell @easen-amp