New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency Security: Axios Cross-Site Request Forgery Vulnerability #419

Open

roninCode opened this issue Feb 5, 2024 · 1 comment

roninCode commented Feb 5, 2024

There is a Axios Cross-Site Request Forgery Vulnerability dependency in the @analytics/segment plugin.

Dependabot is stating: @analytics/[email protected] requires axios@^0.21.1 via a transitive dependency on [email protected]
(https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/package.json#L56)

Looks like analytics-node is a deprecated repo with no more support.

analytics-node suggests using this repo instead: https://github.com/segmentio/analytics-next/tree/master/packages/node#readme

Any way you can replace analytics-node with analytics-next?

The text was updated successfully, but these errors were encountered:

Owner

DavidWells commented Feb 5, 2024

Axios is just making calls directly to segment https://github.com/segmentio/analytics-node/blob/master/index.js#L303 I don't think this security warning will have any impact on you.

If you are just using segment in the browser you can completely ignore the warning as axios is only used serverside in node.

I won't be updating the node package anytime soon but am ppen to PRs to refactor https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/src/node.js to the latest version of the segment node package. https://segment.com/docs/connections/sources/catalog/libraries/server/node/migration/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment