-
-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency Security: Axios Cross-Site Request Forgery Vulnerability #419
Comments
Axios is just making calls directly to segment https://github.com/segmentio/analytics-node/blob/master/index.js#L303 I don't think this security warning will have any impact on you. If you are just using segment in the browser you can completely ignore the warning as axios is only used serverside in node. I won't be updating the node package anytime soon but am ppen to PRs to refactor https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/src/node.js to the latest version of the segment node package. https://segment.com/docs/connections/sources/catalog/libraries/server/node/migration/ |
There is a
Axios Cross-Site Request Forgery Vulnerability
dependency in the@analytics/segment
plugin.Dependabot is stating:
@analytics/[email protected] requires axios@^0.21.1 via a transitive dependency on [email protected]
(https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/package.json#L56)
Looks like
analytics-node
is a deprecated repo with no more support.analytics-node
suggests using this repo instead: https://github.com/segmentio/analytics-next/tree/master/packages/node#readmeAny way you can replace
analytics-node
withanalytics-next
?The text was updated successfully, but these errors were encountered: