Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-1281470: SNYK Vulnerability on Follow Redirects / Axios #808

Closed
mick-feller opened this issue Mar 28, 2024 · 2 comments
Closed

SNOW-1281470: SNYK Vulnerability on Follow Redirects / Axios #808

mick-feller opened this issue Mar 28, 2024 · 2 comments
Assignees
@sfc-gh-dszmolka
Labels
bug Something isn't working status-triage_done Initial triage done, will be further handled by the driver team

Comments

@mick-feller
Copy link

Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!

What version of NodeJS driver are you using?
1.10.0

What operating system and processor architecture are you using?
Linux

What version of NodeJS are you using?
20

there is a CVE open for follow-redirects 1.15.4 that is introduced through Axios 1.6.5, upgrading Axios to 1.6.7 will fix this vulnerability
CVE-2024-28849

Snyk Report: https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6444610
@mick-feller mick-feller added the bug Something isn't working label Mar 28, 2024
@github-actions github-actions bot changed the title SNYK Vulnerability on Follow Redirects / Axios SNOW-1281470: SNYK Vulnerability on Follow Redirects / Axios Mar 28, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Mar 28, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka added the status-triage Issue is under initial triage label Mar 28, 2024
@sfc-gh-dszmolka
Copy link
Collaborator

hi and thank you for reporting this issue and keeping an open eye for vulnerabilities !

looks to be fixed in axios 1.6.8 and since we require axios versions anything between 1.6.5 and <2.0.0, the fixed version of axios is automatically installed with (re)installation of snowflake-sdk

just checked:

# npm i [email protected]
..gets installed
# npm ls follow-redirects
test@ /test
`-- [email protected]
  `-- [email protected]
    `-- [email protected]

fixed axios and transitively the fixed follow-redirects is installed so i think this is already covered, so closing this out for now. Do comment please if you need any further assistance with this issue and we'll look further.

@sfc-gh-dszmolka sfc-gh-dszmolka added status-triage_done Initial triage done, will be further handled by the driver team and removed status-triage Issue is under initial triage labels Mar 28, 2024
@sfc-gh-dszmolka
Copy link
Collaborator

sfc-gh-dszmolka commented Mar 28, 2024
edited
Loading

also to be sure we have the fixed minimum version, created #809 to bump axios requirement to ^1.6.8 but as mentioned above, even today a (re)installation should install the fixed axios in the project.

edit: PR merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-dszmolka sfc-gh-dszmolka

Labels
bug Something isn't working status-triage_done Initial triage done, will be further handled by the driver team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mick-feller @sfc-gh-dszmolka