Axios needs update

[gabor-ottlik-epam]

There is a security vulnerability in axios therefor it needs to be updated to >=0.21.1
You can find the vulnerability report on snyc: https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
The axios issue about the problem: axios/axios#3410

┆Issue is synchronized with this Asana task by Unito

[smckinney1]

The localtunnel dependency is preventing npm audit fix from doing its job.

Despite localtunnel updating axios in the latest version, 2.0.1, Chromatic's localtunnel dependency is still set to "axios": "0.19.0".

I don't have any experience with releasing packages on npm, so I could be off the mark, but could this have anything to do with Chromatic listing version 2.0.1 as the localtunnel dependency version long before this version was actually released 3 days ago?

https://github.com/chromaui/chromatic-cli/blame/next/package.json#L69

• Listed as the dependency version 16 months ago

[JackHowa]

yep you're right @smckinney1 :

codespace ➜ ~/workspace/chromatic-cli (update-axios-security) $ yarn audit
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @chromaui/localtunnel                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @chromaui/localtunnel > axios                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1594                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1922
Severity: 1 High
Done in 1.64s.

[JackHowa]

posted in discord channel maintenance as well https://discord.com/channels/486522875931656193/490070912448724992/799702768343318539

[tmeasday]

Hey all sorry about the delay here we'll get this sorted out ASAP.

[ghengeveld]

Fixed in chromatic@5.6.1