Security Vulnerabilities Related to Axios in node-red-contrib-graphql #55
Description
Hi,
I installed node-red-contrib-graphql through the Node-RED UI and later ran a security audit (npm audit) on the terminal of the machine where Node-RED is running. The audit report revealed some vulnerabilities originating from the axios package, which appears to be an indirect dependency of the GraphQL node.
I generated a detailed report using the following command:
npm audit --json > full-audit.json
Here are the relevant findings from the report:
"vulnerabilities": {
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097680,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=1.0.0 <1.6.0"
},
{
"source": 1103618,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=1.0.0 <1.8.2"
}
],
"effects": [
"node-red-contrib-graphql"
],
"range": "1.0.0 - 1.8.1",
"nodes": [
"node_modules/axios"
],
"fixAvailable": {
"name": "node-red-contrib-graphql",
"version": "2.0.1",
"isSemVerMajor": true
}
}
}
It looks like the version of axios currently used falls within a vulnerable range. I wanted to ask:
Is it possible to safely update the axios dependency to a non-vulnerable version (≥1.8.2) without breaking the functionality of node-red-contrib-graphql?
If not, are there plans to update this dependency in a future release?
Thank you for your time and for maintaining this project. I look forward to hearing your thoughts on how best to proceed.
Best regards,
Cooper