Skip to content

Security Vulnerability: axios dependency needs update #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
thedinosoar opened this issue May 29, 2025 · 5 comments · May be fixed by #12
Closed

Security Vulnerability: axios dependency needs update #11

thedinosoar opened this issue May 29, 2025 · 5 comments · May be fixed by #12

Comments

@thedinosoar
Copy link

thedinosoar commented May 29, 2025
edited
Loading

Our app uses the latest storybook-zeplin package (3.0.0 as of now), which relies on the @zeplin/sdk v1.9.0, which uses a very old version of axios with a high Server-side Request Forgery (SSRF) 8.8 level vulnerability (https://security.snyk.io/vuln/SNYK-JS-AXIOS-7361793).

Please update the axios dependency to a non-vulnerable version (e.g., [email protected] or later - please verify the latest secure version).
@thedinosoar thedinosoar mentioned this issue May 30, 2025
Open
12 tasks
@aykutbulca
Copy link
Member

Thank you for flagging this.

You're absolutely right — earlier versions of @zeplin/sdk relied on an outdated version of axios that was affected by a known SSRF vulnerability (SNYK-JS-AXIOS-7361793).

We actually addressed this issue a few months ago by updating the axios dependency, but due to a CI failure, the fix wasn’t published at the time. This has now been resolved, and the latest version of @zeplin/sdk (v1.28.0) includes the updated, secure axios (v1.6.7 or later, depending on your lockfile).

Please update to @zeplin/[email protected] and let us know if you run into any issues or need further assistance.

@thedinosoar
Copy link
Author

thedinosoar commented May 30, 2025
edited
Loading

@aykutbulca It looks like since @zeplin/sdk v1.28.0 only uses axios v1.6.7, it is still affected by this vulnerability. The CVE states that the vulnerable versions are >=1.3.2 <1.7.4

For our project we just had to override the version of axios this package uses, which isn't ideal, so figured it'd be easier to just make a PR #12

@aykutbulca
Copy link
Member

The package.json specifies "axios": "^1.6.8", and because of how the caret (^) works, it allows both minor and patch updates, up to (but not including) 2.0.0. Since axios has released versions beyond, npm resolves the dependency to 1.8.3 in the package-lock.json, which is outside the affected range.

As a result, npm audit reports 0 vulnerabilities when using the latest version of the @zeplin/sdk package.

If you're seeing different behavior, make sure you're using the latest version of @zeplin/sdk and that your lockfile is up to date.

@thedinosoar
Copy link
Author

Oh I see, thank you for pointing that out. I'll close this issue now. Updating my package lock fixed it for me.

Out of curiosity, is there a reason to not change axios' version to the latest and make a new release for this package? Is it just to avoid breaking dependents?

@aykutbulca
Copy link
Member

There is no specific reason—I just re-triggered the failed CI job from a few months ago and wanted to note that the issue was already resolved after that.

We’ll likely bump the axios version in the next release, as there’s no blocker for doing so. Thanks again for bringing this to our attention!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updated axios, and fixed dev dependencies thedinosoar/javascript-sdk
2 participants
@aykutbulca @thedinosoar