[Vulnerability] patch axios vulnerability CVE 2023 45857 about twilio-node HOT 6 CLOSED

Hi! We have merged #971 addressing this issue. Thanks!

from twilio-node.

Given that this is an API client and that there is a warning indicating not to use this in front end apps which means there are no cookies involved, and that CSRF is a front end vuln related to cookie handling, I'm pretty sure this vulnerability does not affect this library in any meaningful way.
From the readme https://github.com/twilio/twilio-node/blob/main/README.md?plain=1#L28-L29

Do not use this Node.js library in a front-end application. Doing so can expose your Twilio credentials to end-users as part of the bundled HTML/JavaScript sent to their browser.

while i agree this MIGHT not impact the client in any meaningful way, as of now. but

1. there is no way to tell if the vulnerability will impact the future releases. anything could happen
2. letting a vulnerability stay in the code intentionally causes all sorts of issues for consumers of the library. i.e. broken pipelines, setting up rules to ignore particular scan result etc.
3. what downside is there to patch the library? there is already PR created.

Oh, I agree on all points. I was merely trying to contextualize the vuln as often people will see a vuln and make quick judgements. I was trying to help anyone who doesn't fully understand the issue to understand that there isn't a security risk. However, to your point, there are other reasons to upgrade. Thankfully the fix was merged!

from twilio-node.

Upgrading to the latest version of axios or moving to use fetch API built into Node 18+ has its own benefits.

Node 14 & 16 are both end of life releases. Removing axios and using fetch instead means one less package to depend on, have potential security issues from, etc.

from twilio-node.

Given that this is an API client and that there is a warning indicating not to use this in front end apps which means there are no cookies involved, and that CSRF is a front end vuln related to cookie handling, I'm pretty sure this vulnerability does not affect this library in any meaningful way.

From the readme https://github.com/twilio/twilio-node/blob/main/README.md?plain=1#L28-L29

Do not use this Node.js library in a front-end application. Doing so can expose your Twilio credentials to end-users as part of the bundled HTML/JavaScript sent to their browser.

while i agree this MIGHT not impact the client in any meaningful way, as of now. but

1. there is no way to tell if the vulnerability will impact the future releases. anything could happen
2. letting a vulnerability stay in the code intentionally causes all sorts of issues for consumers of the library. i.e. broken pipelines, setting up rules to ignore particular scan result etc.
3. what downside is there to patch the library? there is already PR created.

from twilio-node.

Upgrading to the latest version of axios or moving to use fetch API built into Node 18+ has its own benefits.

Node 14 & 16 are both end of life releases. Removing axios and using fetch instead means one less package to depend on, have potential security issues from, etc.

This is a great point. Hopefully the team will consider replacing Axios and using the built in fetch API.

from twilio-node.

Given that this is an API client and that there is a warning indicating not to use this in front end apps which means there are no cookies involved, and that CSRF is a front end vuln related to cookie handling, I'm pretty sure this vulnerability does not affect this library in any meaningful way.

From the readme https://github.com/twilio/twilio-node/blob/main/README.md?plain=1#L28-L29

Do not use this Node.js library in a front-end application. Doing so can expose your Twilio credentials to end-users as part of the bundled HTML/JavaScript sent to their browser.

from twilio-node.