Axios: Vulnerability found

+1 on this, got this today and will need to roll out a fix for compliance asap. If nobody has bandwidth i can try to jump on this next week.

+1 here, would like to get this fix.

+1 here, any solutions?

+1, solutions?

It is merged (#1485) but not released yet. You may refer to https://snyk.io/vuln/SNYK-JS-AXIOS-174505.

Is there a plan to make a release including this? Is there anything we can do to help speed this?

I'd like to also know if there is a plan to release a version with the patch.

big +1

up +1

As I mentioned in #1485, it might be better to click the Subscribe button for this issue instead of commenting with a +1 🙂 That way you'll be notified without creating notifications or emails for everyone else. I know this is going to be popping up for a lot of GitHub repositories.

When will this issue be fixed? I have received tons of mail from github regarding axios.

I'm also having this issue. I don't know nothing about it :'( someone pls help!!

Pressing the "Subscribe" button means the spam-attack because of people like ^ ^

Oh, wait a moment, now I'm one of them :)

Fellas, please click this button instead of leaving useless comments

Pinging @nickuraltsev & @mzabriskie, seeing that @emilyemorehouse is no longer listed on npm as a collaborator.

Per @spilist's comment, it seems the fix is already merged (#1485). Can we please get an 0.19.0 or 0.18.0.patch release?

If you really have to get a fix out for your IT team and you're ok taking what's on tip: npm install --save git://github.com/axios/axios.git#f28ff93

0.19.0 has a fix and has been released!

Since this repo is pre-v1, this change (and only this change) really should have been published as a patch bump (0.18.1) so that apps which have the dependency set to ^0.18.0 can get the patch automatically.

@tybro0103 agreed - I plan on releasing an 0.18.1 as well but need to get a branch set up to cherry-pick the fix since this project always released from master

@emilyemorehouse It seems that once you release a version on npm, you cannot roll it back. So if it's true, maybe you should keep 0.19.0 or it would cause more trouble later.

@emilyemorehouse It seems that once you release a version on npm, you cannot roll it back. So if it's true, maybe you should keep 0.19.0 or it would cause more trouble later.

They can deploy both 0.19.0 and 0.18.1.

Thank you @emilyemorehouse and everyone! Problem fixed!

Got it fixed from the update, thanks @emilyemorehouse and everyone! For my mates to see just run npm install axios@latest --save

Thanks for the release!

Just to confirm, is a patch release going to be published, or do we need to use the0.19.0 release for the fix?

Don't want to pile on (sorry!) but I'm also curious about 0.18.1. Looks like 0.19.0 carries some breaking changes for us. We're looking to wait for the patch rather than trying to upgrade & fix the break.

I'm actively working on 0.18.1 — hoping to have it released sometime today!

You're the best! Thank you for all the work on this 🤗

Hello forgiveness for my ignorance, I have in my project installed axios 0.18 and when I uploaded my project to github I receive the alert: "We found a potential security vulnerability in one of your dependencies." what is the solution that you managed to find here?

@FerCruzBanegas with "axios": "^0.18" you should already be pulling 0.18.1 which has the vulnerability patched.

If you want to make sure you can change it to "axios": "^0.18.1", in your package.json file. That should make the warning go away

@vesper8 thank you very much now I will update my dependence

dude someone pls tell me how do I update my "Axios! 13 days n I still have noqlue!"

dude someone pls tell me how do I update my "Axios! 13 days n I still have noqlue!"

the easiest way to resolve the vulnerability without changing functionality is to upgrade from 0.18.0 to 0.18.1.

npm install [email protected]

or

yarn add [email protected]