Installing package triggers 3 high-severity advisories #27
Description
Installing pi-backend results in three high-severity vulnerabilities reported by npm audit due to axios <=1.11.0 pulled in via stellar-sdk.
Reproduction
npm init -y
npm i pi-backend
npm audit --omit=dev
Observed (excerpt)
# npm audit report
axios <=1.11.0
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Axios is vulnerable to DoS attack through lack of data size check - https://github.com/advisories/GHSA-4hjh-wcwx-xvwj
No fix available
node_modules/stellar-sdk/node_modules/axios
stellar-sdk <=10.4.1
Depends on vulnerable versions of axios
node_modules/stellar-sdk
pi-backend *
Depends on vulnerable versions of stellar-sdk
node_modules/pi-backend
3 high severity vulnerabilities
Impact
High-severity CSRF, SSRF, and DoS risks through axios used by stellar-sdk.
Proposed fix
Upgrade dependencies on both stellar-sdk and axios to the latest versions (14.2.0 and 1.12.2 respectively at the time of writing) and publish a patch release.