From c8281ab5857682b6665a6a0a681f8b7d794275a0 Mon Sep 17 00:00:00 2001 From: Shawn Gustaw Date: Thu, 30 May 2019 11:15:22 -0700 Subject: [PATCH 1/2] Address CVE-2019-10742 * axios versions <= 0.18.0 are vulnerable to DoS attacks by continuing to accept content after maxContentLength is exceeded See: https://nvd.nist.gov/vuln/detail/CVE-2019-10742 --- package.json | 2 +- yarn.lock | 28 ++++++++++++++++++---------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/package.json b/package.json index 1e1188cc..890074d1 100644 --- a/package.json +++ b/package.json @@ -40,7 +40,7 @@ ], "dependencies": { "@segment/loosely-validate-event": "^2.0.0", - "axios": "^0.17.1", + "axios": "^0.19.0", "axios-retry": "^3.0.2", "lodash.isstring": "^4.0.1", "md5": "^2.2.1", diff --git a/yarn.lock b/yarn.lock index 53f97246..53d2123b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -575,12 +575,13 @@ axios-retry@^3.0.2: dependencies: is-retry-allowed "^1.1.0" -axios@^0.17.1: - version "0.17.1" - resolved "https://registry.yarnpkg.com/axios/-/axios-0.17.1.tgz#2d8e3e5d0bdbd7327f91bc814f5c57660f81824d" +axios@^0.19.0: + version "0.19.0" + resolved "https://registry.yarnpkg.com/axios/-/axios-0.19.0.tgz#8e09bff3d9122e133f7b8101c8fbdd00ed3d2ab8" + integrity sha512-1uvKqKQta3KBxIz14F2v06AEHZ/dIoeKfbTRkK1E5oqjDnuEerLmYTgJB5AiQZHJcljpg1TuRzdjDR06qNk0DQ== dependencies: - follow-redirects "^1.2.5" - is-buffer "^1.1.5" + follow-redirects "1.5.10" + is-buffer "^2.0.2" babel-code-frame@^6.22.0, babel-code-frame@^6.26.0: version "6.26.0" @@ -1866,9 +1867,10 @@ debug@2, debug@2.6.9, debug@^2.1.2, debug@^2.2.0, debug@^2.3.3, debug@^2.6.8, de dependencies: ms "2.0.0" -debug@3.1.0, debug@^3.0.1, debug@^3.1.0: +debug@3.1.0, debug@=3.1.0, debug@^3.0.1, debug@^3.1.0: version "3.1.0" resolved "https://registry.yarnpkg.com/debug/-/debug-3.1.0.tgz#5bb5a0672628b64149566ba16819e61518c67261" + integrity sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g== dependencies: ms "2.0.0" @@ -2715,11 +2717,12 @@ fn-name@^2.0.0: version "2.0.1" resolved "https://registry.yarnpkg.com/fn-name/-/fn-name-2.0.1.tgz#5214d7537a4d06a4a301c0cc262feb84188002e7" -follow-redirects@^1.2.5: - version "1.5.1" - resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.5.1.tgz#67a8f14f5a1f67f962c2c46469c79eaec0a90291" +follow-redirects@1.5.10: + version "1.5.10" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.5.10.tgz#7b7a9f9aea2fdff36786a94ff643ed07f4ff5e2a" + integrity sha512-0V5l4Cizzvqt5D44aTXbFZz+FtyXV1vrDN6qrelxtfYQKW0KO0W2T/hkE8xvGa/540LkZlkaUjO4ailYTFtHVQ== dependencies: - debug "^3.1.0" + debug "=3.1.0" for-in@^0.1.3: version "0.1.8" @@ -3408,6 +3411,11 @@ is-buffer@^1.0.2, is-buffer@^1.1.5, is-buffer@~1.1.1: version "1.1.6" resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-1.1.6.tgz#efaa2ea9daa0d7ab2ea13a97b2b8ad51fefbe8be" +is-buffer@^2.0.2: + version "2.0.3" + resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-2.0.3.tgz#4ecf3fcf749cbd1e472689e109ac66261a25e725" + integrity sha512-U15Q7MXTuZlrbymiz95PJpZxu8IlipAp4dtS3wOdgPXx3mqBnslrWU14kxfHB+Py/+2PVKSr37dMAgM2A4uArw== + is-builtin-module@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/is-builtin-module/-/is-builtin-module-1.0.0.tgz#540572d34f7ac3119f8f76c30cbc1b1e037affbe" From 112f185dcdba032c6e8b15df981002bc30f16a6a Mon Sep 17 00:00:00 2001 From: Shawn Gustaw Date: Tue, 4 Jun 2019 14:20:12 -0700 Subject: [PATCH 2/2] Retrigger build