browser-sync dependency vulnerability (localtunnel -> axios)

Created on 31 May 2019  路  7Comments  路  Source: BrowserSync/browser-sync

Issue details

browser-sync depends upon localtunnel 1.9.1, which depends upon axios 0.17.1, which has an outstanding security vulnerability. This causes warnings across every GitHub repo that is using browser-sync.

Steps to reproduce/test case

Have localtunnel 1.9.1 in your package-lock.json.

Please specify which version of Browsersync, node and npm you're running

  • Browsersync [ 1.9.1 ]
  • Node [ ]
  • Npm [ ]

Affected platforms

  • [x] linux
  • [x] windows
  • [x] OS X
  • [x] freebsd
  • [x] solaris
  • [x] other _(please specify which)_

Browsersync use-case

  • [ ] API
  • [ ] Gulp
  • [x] Grunt
  • [ ] CLI

If CLI, please paste the entire command below

N/A

for all other use-cases, (gulp, grunt etc), please show us exactly how you're using

The vulnerability warning can be seen here:
https://github.com/mozilla/ssl-config-generator/network/alert/package-lock.json/axios/open

This issue is dependent upon the following issue:
https://github.com/localtunnel/localtunnel/issues/302

picture april
👍17 👀5

Most helpful comment

The localtunnel issue is now fixed in version 1.9.2.

picture gverni on 2 Jun 2019
👍7 🚀21

All 7 comments

The localtunnel issue is now fixed in version 1.9.2.

gverni picture gverni on 2 Jun 2019
👍7 🚀21

@gverni GREAT!

@april waiting on @gaards to merge.

@shakyShane any chance of expediting the merge of this vulnerability fix?
I know you took care of the last few.

snuggs picture snuggs on 4 Jun 2019
👍8

This is happening again , localtunnel has axios v0.19.0, and it is fixed in v0.21.1

dippas picture dippas on 5 Jan 2021
👍5

localtunnel issue that tracks 鈽濓笍 https://github.com/localtunnel/localtunnel/issues/377

morozgrafix picture morozgrafix on 5 Jan 2021
👍31

....and here we are again. At least i'm not the only one that this issue popped up on. Was having DeJa V煤 thinking this was fixed already.

/ping @gaards @shakyShane 馃檹馃徑

snuggs picture snuggs on 5 Jan 2021
👍3

@snuggs made a new issue to keep track of it (#1831)

alexkuc picture alexkuc on 6 Jan 2021
🚀11 👍1

localtunell just release v2.0.1, please update

dippas picture dippas on 10 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zewa666 picture zewa666  路  3Comments
pensierinmusica picture pensierinmusica  路  4Comments
ronilaukkarinen picture ronilaukkarinen  路  4Comments
adjavaherian picture adjavaherian  路  4Comments
kraf picture kraf  路  3Comments