Azure-sdk-for-js: @azure/identity is using vulnerable version of [email protected] with high severity
- Package Name:
@azure/identity - Package Version:
1.2.0 - Operating system:
- [x] nodejs
- version:
14.10.1
- version:
- [ ] browser
- name/version:
- [ ] typescript
- version:
- Is the bug related to documentation in
- [ ] README.md
- [ ] source code documentation
- [ ] SDK API docs on https://docs.microsoft.com
Describe the bug
[email protected] has high severity vulnerability, documented at https://npmjs.com/advisories/1594. It is fixed in axios@>0.21.1.
Since @azure/identity is a base package of other SDKs, the issue could have a broad impact across all SDKs.
To Reproduce
Steps to reproduce the behavior:
npm install @azure/identity
Expected behavior
It should not report any vulnerabilities.
Screenshots
Additional context
compulim
All 14 comments
Thanks for reporting @compulim
cc @jonathandturner
ramya-rao-a
on 6 Jan 2021
@jonathandturner The axios package is also used by @azure/msal-node which we use. Can we get it updated upstream as well? See https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/2ab1fb8f280ab49a42c7eaabfa4c3ec941aa19e1/lib/msal-node/package.json#L74
ramya-rao-a
on 7 Jan 2021
Will this be fixed in the 1.2.1 release? If yes, when can we expect 1.2.1 to be available?
rahulbreddy
on 7 Jan 2021
This issue is also affecting @azure/loganalytics. Can be updated for this package too?
rmiraballes
on 7 Jan 2021
@rmiraballes The @azure/loganalytics depends on @azure/ms-rest-js which in turn depends on axios. We merged the fix for this in https://github.com/Azure/ms-rest-js/pull/407 and will be releasing an update soon
ramya-rao-a
on 7 Jan 2021
@rmiraballes We just released an update for @azure/ms-rest-js, so you should be good with @azure/loganalytics
ramya-rao-a
on 8 Jan 2021
@ramya-rao-a Thanks
rmiraballes
on 8 Jan 2021
At least for me, the issue persists because version 1.2.1 depends an "@azure/msal-node": "1.0.0-beta.1" which in turn depends on "axios": "^0.19.2"
ccaspers
on 8 Jan 2021
Yes is still happening in @azure/[email protected], because of the @azure/msal-node dependency:
https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/package.json#L86
Is fixed on @azure/loganalytics.
rmiraballes
on 8 Jan 2021
The PR to update axios in @azure/msal-node was merged yesterday, see https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/2825
Once an update to @azure/msal-node is released, we can look into updating our dependency on it as well
ramya-rao-a
on 8 Jan 2021
@azure/msal-node has released an update with the fix
Re-opening this issue until we update the @azure-msal-node dependency in @azure/identity
ramya-rao-a
on 12 Jan 2021
@jonathandturner Can we close this issue now that 1.2.2 of @azure/identity is released?
ramya-rao-a
on 19 Jan 2021
@ramya-rao-a we're not using the Axios anymore on Identity, we've confirmed. We still have other packages that are using the old Axios though.
sadasant
on 26 Jan 2021
Closing this issue, since the issue with Axios for @azure/identity should be solved with 1.2.2.
jonathandturner
on 27 Jan 2021
Related issues
mitchdenny
路
4Comments
AElharouny
路
4Comments
karthikm249
路
3Comments
avieru
路
4Comments
nguerrera
路
3Comments
Most helpful comment
@azure/msal-nodehas released an update with the fixRe-opening this issue until we update the
@azure-msal-nodedependency in@azure/identity