This repository was archived by the owner on Mar 19, 2025. It is now read-only.
This repository was archived by the owner on Mar 19, 2025. It is now read-only.
High severity vulnerabilities v1.0.10 #117
Description
After installing @userfront/toolkit npm warns about 3 high severity vulnerabilities:
❯ npm audit
# npm audit report
axios 1.3.2 - 1.7.3
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix --force`
Will install @userfront/toolkit@1.0.9, which is a breaking change
node_modules/axios
@userfront/core 1.0.0
Depends on vulnerable versions of axios
node_modules/@userfront/core
@userfront/toolkit 1.0.10-alpha.0 - 1.0.11-alpha.0
Depends on vulnerable versions of @userfront/core
node_modules/@userfront/toolkit
3 high severity vulnerabilities
I can see that the version of axios was bumped in this commit userfront/userfront-core@a100ebb, however the core lib is still installed as v1.0.0 as a part of @userfront/toolkit install.
// node_modules/@userfront/toolkit/package.json
"dependencies": {
...
"@userfront/core": "1.0.0",
...
```