High severity vulnerability (axios)

[alexkuc]

Adding browser-sync as a dependency results in npm audit warning:

found 1 high severity vulnerability

Further details:

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > localtunnel > axios                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 212 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Steps to reproduce:

1. mkdir test && cd test
2. npm init
3. npm install -D browser-sync
4. npm audit

It looks like localtunnel already has a GH issue on this: localtunnel/localtunnel#377

So I guess we need to wait for localtunnel to fix the issue and then bump dependency here?

Ps. in the past a similar issue has happened (#1695)

[matthewmascord]

What would the impact be of forcing the update of the Axios dependency from 0.19.0 to 0.21.1?

[alexkuc]

I didn't notice any breaking changes in the release log but it is possible that some of the browser-sync functionality might break as there were quite a few changes in axios

[englishextra]

I guess I will have to live with that since:

localtunnel/localtunnel#377 (comment)

[hiphopappotamus]

I ran into this problem too and couldn't get it resolved by updating axios or localtunnel, but what I ended up doing to solve it was updating nodejs to the latest stable release and then running npm update -g and making sure any local dependencies in my individual projects were up to date too (I use the npm-check-updates package for that).

Hopefully this method helps somebody...I'm still a little clueless when it comes to updating things from the git repositories so I usually end up going the full nodejs update route

[thomas-gordon]

If you uninstall then re-install the current version of browser-sync, the localtunnel dependency should update and then the vulnerability will disappear.

[mattwelke]

@thomas-gordon That worked for me. GitHub's automated security updates couldn't figure out how to make a PR for me since browser-sync's version didn't need to be updated. Uninstalling and re-installing browser-sync updated the localtunnel transitive dependency to 2.0.1 which updated the axios transitive dependency to 0.21.0, resolving the security issue.

Because there's no need to do anything to browser-sync to resolve this now, this issue should be closed.

[thomas-gordon]

Agreed, this can be closed.

[alexkuc]

LGTM:

mkdir test
cd test
npm init --yes --private
npm add --dev browser-sync
npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 203 scanned packages

So marking this as resolved.