Summary
@larksuiteoapi/node-sdk@1.71.0 declares "axios": "~1.13.3". That range excludes the patched Axios 1.16.x+ line, so clean installs remain on a vulnerable 1.13.x release even though compatible fixes are available. This is a new advisory set after the Axios 1.x migration in #174 (which closed #133).
Reproduction
From current main (0f69066):
npx --yes yarn@1.22.22 install --frozen-lockfile
node -p "require('axios/package.json').version"
# 1.13.3
npx --yes yarn@1.22.22 audit --groups dependencies --json \
| jq -r 'select(.type == "auditAdvisory") | .data.advisory | select(.module_name == "axios") | [.severity, .patched_versions, .url] | @tsv'
The Axios findings include multiple high-severity advisories. The highest current patched-version floor reported by the audit is >=1.16.0, including:
Impact
Axios is a runtime dependency used for SDK token and API requests. The tilde range prevents package managers from selecting a patched minor release for consumers without an override or a direct dependency. In affected consumer trees, npm audit can consequently report the SDK path as high severity with no automatic fix available.
This report does not claim that every advisory is directly exploitable through every SDK call; it reports that the SDK dependency constraint keeps known-vulnerable Axios code in the runtime graph.
Proposed fix
Change the dependency to "axios": "^1.16.0" and refresh yarn.lock. A fresh Yarn resolution selects Axios 1.18.1, while the declared floor excludes all currently reported Axios advisories and allows future compatible 1.x security releases.
I have a minimal patch ready and validated it with:
yarn build (successful; existing Rollup/TypeScript warnings remain)
- 46 test suites / 450 tests passing
yarn check --integrity
npm pack --dry-run
- Axios-filtered Yarn audit: 0 advisories
The repository still has unrelated audit findings in other dependencies; this issue and patch are intentionally scoped to the Axios path.
Summary
@larksuiteoapi/node-sdk@1.71.0declares"axios": "~1.13.3". That range excludes the patched Axios 1.16.x+ line, so clean installs remain on a vulnerable 1.13.x release even though compatible fixes are available. This is a new advisory set after the Axios 1.x migration in #174 (which closed #133).Reproduction
From current
main(0f69066):The Axios findings include multiple high-severity advisories. The highest current patched-version floor reported by the audit is
>=1.16.0, including:Impact
Axios is a runtime dependency used for SDK token and API requests. The tilde range prevents package managers from selecting a patched minor release for consumers without an override or a direct dependency. In affected consumer trees,
npm auditcan consequently report the SDK path as high severity with no automatic fix available.This report does not claim that every advisory is directly exploitable through every SDK call; it reports that the SDK dependency constraint keeps known-vulnerable Axios code in the runtime graph.
Proposed fix
Change the dependency to
"axios": "^1.16.0"and refreshyarn.lock. A fresh Yarn resolution selects Axios1.18.1, while the declared floor excludes all currently reported Axios advisories and allows future compatible 1.x security releases.I have a minimal patch ready and validated it with:
yarn build(successful; existing Rollup/TypeScript warnings remain)yarn check --integritynpm pack --dry-runThe repository still has unrelated audit findings in other dependencies; this issue and patch are intentionally scoped to the Axios path.