SSRF vulnerability in axios version < 0.21.1

[scottwittenburg]

Our project has a transitive dependency on axios via this project. A couple days ago, we started seeing high severity dependabot alert regarding axios versions < 0.21.1.

I can make a PR simply updating the version, but as a lot of folks have started moving to the latest version of axios, at least one report came in about some features maybe not working the same after moving from 0.19 to 0.21. I have no idea whether this project would be affected by that, or if transition would be smooth.

Here's the original axios issue, and a link to the more recent issue created after people started picking up the fix.

Please let me know what I can do to help.

[zachmullen]

We are on axios v0.21.1 in this library.

[zachmullen]

@scottwittenburg if you want to create a new release in this repo, feel free and I'll publish it.

[scottwittenburg]

Ah, sorry for the noise, I thought I had checked the version you were using.

What would I do to create a new release?

Thanks.

[zachmullen]

Just go into package.json and bump the version from 2.3.0 to 2.3.1, and make a PR of that. I'll approve that and merge it, then push a git tag, which will trigger the publication of the new package. Thanks!

[scottwittenburg]

Done in #300, thanks @zachmullen!