Skip to content

Commit

Permalink
fix: upgrade kratos typescript client to axios v1.x [security]
Browse files Browse the repository at this point in the history 
This fixes https://nvd.nist.gov/vuln/detail/CVE-2023-45857 which is an issue discovered in Axios 0.8.1 through 1.5.1 that inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Signed-off-by: Lucian Buzzo <[email protected]>
  • Loading branch information
@LucianBuzzo
LucianBuzzo committed Nov 13, 2023
1 parent 39d9428 commit 25136a9
Show file tree
Hide file tree
Showing 2 changed files with 122 additions and 11 deletions.
129 changes: 120 additions & 9 deletions clients/kratos/typescript/package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions clients/kratos/typescript/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@
"prepare": "npm run build"
},
"dependencies": {
"axios": "^0.21.4"
"axios": "^1.0.0"
},
"devDependencies": {
"@types/node": "^12.11.5",
"typescript": "^3.6.4"
}
}
}

0 comments on commit 25136a9

Please sign in to comment.