Outdated axios depencency causes security vulnerability

[jkesseler]

Describe the Bug

See: GHSA-wf5p-g6vw-rhxx
Please keep dependencies up-to-date

To Reproduce

Run npm install on any project depending in '@sitecore-jss/sitecore-jss'

Expected Behavior

No security vulnerabilites

Possible Fix

Keep dependencies up to date.

Provide environment information

• Sitecore Version: Not applicable
• JSS Version: 22
• Browser Name and version: Not applicable
• Operating System and version (desktop or mobile): Not applicable
• Link to your project (if available): Not applicable

[art-alexeyenko]

Thank you for reporting this. It's in our backlog for further prioritization.

[jamesryan-dev]

+1

[banghelache44]

Hello, is there any momentum on this?

[yavorsk]

Hey, @banghelache44, @jamesryan-dev in the jss team we keep coming back to the topic of upgrading (or removing) axios. Due to this being not as straightforward as probably seems and having other, higher priority things on our list we are still yet to start work on it. However, just last week we discussed to prioritize it so hopefully we'll have a solution soon..

[thany]

Noticed this one today as well. Can you actually just update it please, dear devs? I don't see anything breaking when I forcibly make it use a newer version.

With respect, this is taking way too long for such a minor code change. The current dependency version is almost 4 years old 😲 Kind of ridiculuous, frankly.

Currently I have this in our package.json:

"overrides": {
  "@sitecore-jss/sitecore-jss-nextjs": {
    "@sitecore-jss/sitecore-jss": {
      "axios": "^1.6.2"
    }
  }
}

And this works perfectly and flawlessly. I even went so far as to verify that it really is using this version at runtime, and it is.

As of currently, I can probably bump it to 1.7.7 and be totally and utterly fine.

@yavorsk

Due to this being not as straightforward as probably seems

Please have that discussion here. There is no need to scurry away in a room and have such discussion offline and in the dark (I'm just imagining 😀). Please share what is not straight-forward, people here can help. I for one, can tell you it absolutely is straight-forward.

This is 5 minutes work. Or 3 minutes if you hurry a little 😅

[rsrinivasanhome]

We are also interested in the fix. The issue seems to be open for almost 6 months now.

[thany]

3 weeks since my last comment, and no response from the devs. Honestly, what does it take to get information out of them, or 5 minutes of their time to apply this fix? Now that it's also a security vulnerability, why the heck isn't this getting criticial priority?

Honestly, I feel Sitecore is an extremely backend-minded company that sees frontend stuff as a neccesary evil, and in general kind of an afterthought. Or maybe there's a very strict "what worked then, oughta work now" kind of mentality, which is frankly toxic. This wouldn't be the first issue that takes weeks and weeks and months and months to get somewhere, if anywhere.

But hey, I can still be proven wrong. I'd love to in this case.

[yavorsk]

Sorry guys it is taking so long, I understand your frustration. The team hasn't forgotten about this, believe me. We'll have axios removed soon.

[thany]

It's not frustration, it's security. Take it seriously.