Skip to content

Security: axios ~1.13.3 blocks fixes available in >=1.16.0 #199

Description

@kangkona

Summary

@larksuiteoapi/node-sdk@1.71.0 declares "axios": "~1.13.3". That range excludes the patched Axios 1.16.x+ line, so clean installs remain on a vulnerable 1.13.x release even though compatible fixes are available. This is a new advisory set after the Axios 1.x migration in #174 (which closed #133).

Reproduction

From current main (0f69066):

npx --yes yarn@1.22.22 install --frozen-lockfile
node -p "require('axios/package.json').version"
# 1.13.3

npx --yes yarn@1.22.22 audit --groups dependencies --json \
  | jq -r 'select(.type == "auditAdvisory") | .data.advisory | select(.module_name == "axios") | [.severity, .patched_versions, .url] | @tsv'

The Axios findings include multiple high-severity advisories. The highest current patched-version floor reported by the audit is >=1.16.0, including:

Impact

Axios is a runtime dependency used for SDK token and API requests. The tilde range prevents package managers from selecting a patched minor release for consumers without an override or a direct dependency. In affected consumer trees, npm audit can consequently report the SDK path as high severity with no automatic fix available.

This report does not claim that every advisory is directly exploitable through every SDK call; it reports that the SDK dependency constraint keeps known-vulnerable Axios code in the runtime graph.

Proposed fix

Change the dependency to "axios": "^1.16.0" and refresh yarn.lock. A fresh Yarn resolution selects Axios 1.18.1, while the declared floor excludes all currently reported Axios advisories and allows future compatible 1.x security releases.

I have a minimal patch ready and validated it with:

  • yarn build (successful; existing Rollup/TypeScript warnings remain)
  • 46 test suites / 450 tests passing
  • yarn check --integrity
  • npm pack --dry-run
  • Axios-filtered Yarn audit: 0 advisories

The repository still has unrelated audit findings in other dependencies; this issue and patch are intentionally scoped to the Axios path.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions