From 3912c5e7abca98fe81d4c9c25894d30d8023ce56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E0=A4=95=E0=A4=BE=E0=A4=B0=E0=A4=A4=E0=A5=8B=E0=A4=AB?= =?UTF-8?q?=E0=A5=8D=E0=A4=AB=E0=A5=87=E0=A4=B2=E0=A4=B8=E0=A5=8D=E0=A4=95?= =?UTF-8?q?=E0=A5=8D=E0=A4=B0=E0=A4=BF=E0=A4=AA=E0=A5=8D=E0=A4=9F=E2=84=A2?= Date: Wed, 17 Jan 2024 16:41:01 +0100 Subject: [PATCH] feat(core): Upgrade axios and follow-redirects to address CVE-2023-26159 (#8366) --- packages/@n8n/client-oauth2/package.json | 2 +- packages/cli/package.json | 2 +- packages/core/package.json | 2 +- packages/editor-ui/package.json | 2 +- pnpm-lock.yaml | 81 ++++++++++++++---------- 5 files changed, 50 insertions(+), 39 deletions(-) diff --git a/packages/@n8n/client-oauth2/package.json b/packages/@n8n/client-oauth2/package.json index 85d24f69c8..e3b3ee7657 100644 --- a/packages/@n8n/client-oauth2/package.json +++ b/packages/@n8n/client-oauth2/package.json @@ -20,6 +20,6 @@ "dist/**/*" ], "dependencies": { - "axios": "1.6.2" + "axios": "1.6.5" } } diff --git a/packages/cli/package.json b/packages/cli/package.json index 1f01f299d1..ecc6c22d98 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -109,7 +109,7 @@ "@rudderstack/rudder-sdk-node": "1.0.6", "@sentry/integrations": "7.87.0", "@sentry/node": "7.87.0", - "axios": "1.6.2", + "axios": "1.6.5", "basic-auth": "2.0.1", "bcryptjs": "2.4.3", "bull": "4.12.1", diff --git a/packages/core/package.json b/packages/core/package.json index 6a788736a5..8d8052d2f1 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -50,7 +50,7 @@ "dependencies": { "@n8n/client-oauth2": "workspace:*", "aws4": "1.11.0", - "axios": "1.6.2", + "axios": "1.6.5", "concat-stream": "2.0.0", "cron": "1.7.2", "fast-glob": "3.2.12", diff --git a/packages/editor-ui/package.json b/packages/editor-ui/package.json index bfcb6c4682..53d1352652 100644 --- a/packages/editor-ui/package.json +++ b/packages/editor-ui/package.json @@ -47,7 +47,7 @@ "@n8n/permissions": "workspace:*", "@vueuse/components": "^10.5.0", "@vueuse/core": "^10.5.0", - "axios": "^1.6.2", + "axios": "1.6.5", "chart.js": "^4.4.0", "codemirror-lang-html-n8n": "^1.0.0", "codemirror-lang-n8n-expression": "^0.2.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 8d074ecdf7..711659fa28 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -170,8 +170,8 @@ importers: packages/@n8n/client-oauth2: dependencies: axios: - specifier: 1.6.2 - version: 1.6.2(debug@3.2.7) + specifier: 1.6.5 + version: 1.6.5(debug@3.2.7) packages/@n8n/nodes-langchain: dependencies: @@ -231,7 +231,7 @@ importers: version: 1.2.0 langchain: specifier: 0.0.198 - version: 0.0.198(@aws-sdk/client-bedrock-runtime@3.454.0)(@aws-sdk/credential-provider-node@3.451.0)(@getzep/zep-js@0.9.0)(@google-ai/generativelanguage@0.2.1)(@huggingface/inference@2.6.4)(@pinecone-database/pinecone@1.1.2)(@qdrant/js-client-rest@1.7.0)(@supabase/supabase-js@2.38.5)(@xata.io/client@0.25.3)(axios@1.6.2)(cohere-ai@6.2.2)(d3-dsv@2.0.0)(epub2@3.0.1)(html-to-text@9.0.5)(lodash@4.17.21)(mammoth@1.6.0)(pdf-parse@1.1.1)(pg@8.11.3)(redis@4.6.12)(typeorm@0.3.17) + version: 0.0.198(@aws-sdk/client-bedrock-runtime@3.454.0)(@aws-sdk/credential-provider-node@3.451.0)(@getzep/zep-js@0.9.0)(@google-ai/generativelanguage@0.2.1)(@huggingface/inference@2.6.4)(@pinecone-database/pinecone@1.1.2)(@qdrant/js-client-rest@1.7.0)(@supabase/supabase-js@2.38.5)(@xata.io/client@0.25.3)(axios@1.6.5)(cohere-ai@6.2.2)(d3-dsv@2.0.0)(epub2@3.0.1)(html-to-text@9.0.5)(lodash@4.17.21)(mammoth@1.6.0)(pdf-parse@1.1.1)(pg@8.11.3)(redis@4.6.12)(typeorm@0.3.17) lodash: specifier: 4.17.21 version: 4.17.21 @@ -398,8 +398,8 @@ importers: specifier: 7.87.0 version: 7.87.0 axios: - specifier: 1.6.2 - version: 1.6.2(debug@3.2.7) + specifier: 1.6.5 + version: 1.6.5(debug@3.2.7) basic-auth: specifier: 2.0.1 version: 2.0.1 @@ -747,8 +747,8 @@ importers: specifier: 1.11.0 version: 1.11.0 axios: - specifier: 1.6.2 - version: 1.6.2(debug@3.2.7) + specifier: 1.6.5 + version: 1.6.5(debug@3.2.7) concat-stream: specifier: 2.0.0 version: 2.0.0 @@ -1049,8 +1049,8 @@ importers: specifier: ^10.5.0 version: 10.5.0(vue@3.3.4) axios: - specifier: ^1.6.2 - version: 1.6.2(debug@3.2.7) + specifier: 1.6.5 + version: 1.6.5(debug@3.2.7) chart.js: specifier: ^4.4.0 version: 4.4.0 @@ -6086,8 +6086,8 @@ packages: /@mistralai/mistralai@0.0.7: resolution: {integrity: sha512-47FiV/GBnt6gug99ZfDBcBofYuYvqT5AyhUDdtktUbCN+gq52tmiAbtwc88k7hlyUWHzJ28VpHRDfNTRfaWKxA==} dependencies: - axios: 1.6.2(debug@3.2.7) - axios-retry: 4.0.0(axios@1.6.2) + axios: 1.6.5(debug@3.2.7) + axios-retry: 4.0.0(axios@1.6.5) transitivePeerDependencies: - debug dev: false @@ -12226,29 +12226,19 @@ packages: is-retry-allowed: 2.2.0 dev: false - /axios-retry@4.0.0(axios@1.6.2): + /axios-retry@4.0.0(axios@1.6.5): resolution: {integrity: sha512-F6P4HVGITD/v4z9Lw2mIA24IabTajvpDZmKa6zq/gGwn57wN5j1P3uWrAV0+diqnW6kTM2fTqmWNfgYWGmMuiA==} peerDependencies: axios: 0.x || 1.x dependencies: - axios: 1.6.2(debug@3.2.7) + axios: 1.6.5(debug@3.2.7) is-retry-allowed: 2.2.0 dev: false /axios@0.21.4: resolution: {integrity: sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg==} dependencies: - follow-redirects: 1.15.2(debug@3.2.7) - transitivePeerDependencies: - - debug - dev: false - - /axios@1.6.2(debug@3.2.7): - resolution: {integrity: sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==} - dependencies: - follow-redirects: 1.15.2(debug@3.2.7) - form-data: 4.0.0 - proxy-from-env: 1.1.0 + follow-redirects: 1.15.5(debug@3.2.7) transitivePeerDependencies: - debug dev: false @@ -12256,11 +12246,32 @@ packages: /axios@1.6.2(debug@4.3.4): resolution: {integrity: sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==} dependencies: - follow-redirects: 1.15.2(debug@4.3.4) + follow-redirects: 1.15.5(debug@4.3.4) form-data: 4.0.0 proxy-from-env: 1.1.0 transitivePeerDependencies: - debug + dev: false + + /axios@1.6.5(debug@3.2.7): + resolution: {integrity: sha512-Ii012v05KEVuUoFWmMW/UQv9aRIc3ZwkWDcM+h5Il8izZCtRVpDUfwpoFf7eOtajT3QiGR4yDUx7lPqHJULgbg==} + dependencies: + follow-redirects: 1.15.5(debug@3.2.7) + form-data: 4.0.0 + proxy-from-env: 1.1.0 + transitivePeerDependencies: + - debug + dev: false + + /axios@1.6.5(debug@4.3.4): + resolution: {integrity: sha512-Ii012v05KEVuUoFWmMW/UQv9aRIc3ZwkWDcM+h5Il8izZCtRVpDUfwpoFf7eOtajT3QiGR4yDUx7lPqHJULgbg==} + dependencies: + follow-redirects: 1.15.5(debug@4.3.4) + form-data: 4.0.0 + proxy-from-env: 1.1.0 + transitivePeerDependencies: + - debug + dev: true /babel-core@7.0.0-bridge.0(@babel/core@7.22.9): resolution: {integrity: sha512-poPX9mZH/5CSanm50Q+1toVci6pv5KSRv/5TWCwtzQS5XEwn40BcCrgIeMFWP9CKKIniKXNxoIOnOq4VVlGXhg==} @@ -15996,8 +16007,8 @@ packages: resolution: {integrity: sha512-GRnmB5gPyJpAhTQdSZTSp9uaPSvl09KoYcMQtsB9rQoOmzs9dH6ffeccH+Z+cv6P68Hu5bC6JjRh4Ah/mHSNRw==} dev: false - /follow-redirects@1.15.2(debug@3.2.7): - resolution: {integrity: sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==} + /follow-redirects@1.15.5(debug@3.2.7): + resolution: {integrity: sha512-vSFWUON1B+yAw1VN4xMfxgn5fTUiaOzAJCKBwIIgT/+7CuGy9+r+5gITvP62j3RmaD5Ph65UaERdOSRGUzZtgw==} engines: {node: '>=4.0'} peerDependencies: debug: '*' @@ -16008,8 +16019,8 @@ packages: debug: 3.2.7(supports-color@5.5.0) dev: false - /follow-redirects@1.15.2(debug@4.3.4): - resolution: {integrity: sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==} + /follow-redirects@1.15.5(debug@4.3.4): + resolution: {integrity: sha512-vSFWUON1B+yAw1VN4xMfxgn5fTUiaOzAJCKBwIIgT/+7CuGy9+r+5gITvP62j3RmaD5Ph65UaERdOSRGUzZtgw==} engines: {node: '>=4.0'} peerDependencies: debug: '*' @@ -17197,7 +17208,7 @@ packages: /infisical-node@1.3.0: resolution: {integrity: sha512-tTnnExRAO/ZyqiRdnSlBisErNToYWgtunMWh+8opClEt5qjX7l6HC/b4oGo2AuR2Pf41IR+oqo+dzkM1TCvlUA==} dependencies: - axios: 1.6.2(debug@3.2.7) + axios: 1.6.5(debug@3.2.7) dotenv: 16.3.1 tweetnacl: 1.0.3 tweetnacl-util: 0.15.1 @@ -18925,7 +18936,7 @@ packages: resolution: {integrity: sha512-Xq9nH7KlWZmXAtodXDDRE7vs6DU1gTU8zYDHDiWLSip45Egwq3plLHzPn27NgvzL2r1LMPC1vdqh98sQxtqj4A==} dev: false - /langchain@0.0.198(@aws-sdk/client-bedrock-runtime@3.454.0)(@aws-sdk/credential-provider-node@3.451.0)(@getzep/zep-js@0.9.0)(@google-ai/generativelanguage@0.2.1)(@huggingface/inference@2.6.4)(@pinecone-database/pinecone@1.1.2)(@qdrant/js-client-rest@1.7.0)(@supabase/supabase-js@2.38.5)(@xata.io/client@0.25.3)(axios@1.6.2)(cohere-ai@6.2.2)(d3-dsv@2.0.0)(epub2@3.0.1)(html-to-text@9.0.5)(lodash@4.17.21)(mammoth@1.6.0)(pdf-parse@1.1.1)(pg@8.11.3)(redis@4.6.12)(typeorm@0.3.17): + /langchain@0.0.198(@aws-sdk/client-bedrock-runtime@3.454.0)(@aws-sdk/credential-provider-node@3.451.0)(@getzep/zep-js@0.9.0)(@google-ai/generativelanguage@0.2.1)(@huggingface/inference@2.6.4)(@pinecone-database/pinecone@1.1.2)(@qdrant/js-client-rest@1.7.0)(@supabase/supabase-js@2.38.5)(@xata.io/client@0.25.3)(axios@1.6.5)(cohere-ai@6.2.2)(d3-dsv@2.0.0)(epub2@3.0.1)(html-to-text@9.0.5)(lodash@4.17.21)(mammoth@1.6.0)(pdf-parse@1.1.1)(pg@8.11.3)(redis@4.6.12)(typeorm@0.3.17): resolution: {integrity: sha512-YC0O1g8r61InCWyF5NmiQjdghdq6LKcgMrDZtqLbgDxAe4RoSldonm+5oNXS3yjCISG0j3s5Cty+yB7klqvUpg==} engines: {node: '>=18'} peerDependencies: @@ -19242,7 +19253,7 @@ packages: '@qdrant/js-client-rest': 1.7.0(typescript@5.3.2) '@supabase/supabase-js': 2.38.5 '@xata.io/client': 0.25.3(typescript@5.3.2) - axios: 1.6.2(debug@3.2.7) + axios: 1.6.5(debug@3.2.7) binary-extensions: 2.2.0 cohere-ai: 6.2.2 d3-dsv: 2.0.0 @@ -22416,7 +22427,7 @@ packages: resolution: {integrity: sha512-ofNX3TPfZPlWErVc2EDk66cIrfp9EXeKBsXFxf8ISXK57b10ANwRnKAlf5rQjxjRKqcUWmV0d3ZfOeVeYracMw==} engines: {node: '>=15.0.0'} dependencies: - axios: 1.6.2(debug@3.2.7) + axios: 1.6.5(debug@3.2.7) rusha: 0.8.14 transitivePeerDependencies: - debug @@ -24127,7 +24138,7 @@ packages: asn1.js: 5.4.1 asn1.js-rfc2560: 5.0.1(asn1.js@5.4.1) asn1.js-rfc5280: 3.0.0 - axios: 1.6.2(debug@3.2.7) + axios: 1.6.5(debug@3.2.7) big-integer: 1.6.51 bignumber.js: 9.1.2 binascii: 0.0.2 @@ -26684,7 +26695,7 @@ packages: engines: {node: '>=12.0.0'} hasBin: true dependencies: - axios: 1.6.2(debug@4.3.4) + axios: 1.6.5(debug@4.3.4) joi: 17.11.0 lodash: 4.17.21 minimist: 1.2.8