Checkboxes for prior research
Describe the bug
npm audit fails when you depend on packages which use aws-crt, because aws-crt depends on a vulnerable version of axios.
CVE for axios: GHSA-8hc4-vh64-cxmj
SDK version number
@aws-sdk/client-dynamodb@3.629
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v20.10.0
Reproduction Steps
npm install @aws-sdk/client-dynamodb
npm audit
npm ls axios
├─┬ @aws-sdk/client-dynamodb@3.629.0
│ └─┬ @aws-sdk/util-user-agent-node@3.614.0
│ └─┬ aws-crt@1.21.3
│ └── axios@1.7.3
Observed Behavior
axios >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios
aws-crt >=1.19.0
Depends on vulnerable versions of axios
node_modules/aws-crt
2 high severity vulnerabilities
Expected Behavior
Expect to have no vulnerabilities.
Possible Solution
No response
Additional Information/Context
Issue in axios repository: axios/axios#6463
Checkboxes for prior research
Describe the bug
npm auditfails when you depend on packages which use aws-crt, because aws-crt depends on a vulnerable version of axios.CVE for axios: GHSA-8hc4-vh64-cxmj
SDK version number
@aws-sdk/client-dynamodb@3.629
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v20.10.0
Reproduction Steps
npm install @aws-sdk/client-dynamodbnpm auditnpm ls axiosObserved Behavior
Expected Behavior
Expect to have no vulnerabilities.
Possible Solution
No response
Additional Information/Context
Issue in axios repository: axios/axios#6463