Security issue in axios dependency

[tiltingpenguin]

There was a SSRF security vulnerability found in axios (CVE-2024-39338), could you bump the version of axios used to 1.7.4 which is the patched version?

references:

• https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html
• https://github.com/axios/axios/releases

[krassowski]

@tiltingpenguin can you point to a place in code where axios is used?

[tiltingpenguin]

axios is a dependency of a dependency ( nx ), but the vulnerable version is pulled in as you can see in the package-lock.json in line 6869. I can't say exactly if vulnerable code is used by nbdime as I haven't looked into it that deeply, but is there a reason to not update it?

[krassowski]

Feel welcome to update it! This was just to highlight that axios is likely NOT used in the code shipped by nbdime (nor is nx).

See also jupyterlab/jupyterlab#16698

[tiltingpenguin]

Thanks for making me aware of this. We got a bug in openSUSE Tumbleweed about the security issue, so I will update it just to be safe. But it would be great if you could provide a list of packages that are actually shipped in the future like in the jupyterlab issue you linked.

[krassowski]

Thanks for the context and sorry for brevity.

But it would be great if you could provide a list of packages that are actually shipped in the future like in the jupyterlab issue you linked

Great to hear it would be useful! I wonder how we can make this easier for everyone. I know that GitHub recognised this problem with dependabot by allowing to auto-dismiss likely false positives (e.g. from packages only used in devDependencies): https://github.blog/changelog/2023-05-02-dependabot-alerts-now-automatically-dismiss-false-positives-for-npm-public-beta/