Skip to content

upyun@3.4.6 依赖存在高危漏洞的 axios ≤0.30.1,建议升级 #79

New issue
New issue
Open
Open
upyun@3.4.6 依赖存在高危漏洞的 axios ≤0.30.1,建议升级#79
@i-NMB

Description

@i-NMB
i-NMB
opened on Oct 30, 2025

您好!

感谢贵团队维护又拍云 Node.js SDK!目前我们在使用node-sdk插件作为依赖时发现一个安全风险,特此反馈,希望能尽快修复。

主要问题

upyun@3.4.6(当前最新版)依赖的 axios 版本为"axios": "^0.26.1",而该版本存在 3 个高危安全漏洞,已被 GitHub Security Advisory 公开披露
axios <=0.30.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - GHSA-jr5f-v2jv-69x6
Axios is vulnerable to DoS attack through lack of data size check - GHSA-4hjh-wcwx-xvwj

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions