Axios Vulnerability in Square NPM requirements?

Questions
1 
# npm audit report

axios  1.3.2 - 1.7.3
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios

1 high severity vulnerability

I traced this through and it’s to do with one of the @ requirements within Square. Is this something to actually be concerned about? The original message when installing the Square package said that applying the fix would be a breaking change, so I’d rather not if it isn’t necessary.

2

:wave: I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:

Additional Documentation

Square Node.js SDK Quickstart
https://developer.squareup.com/docs/orders-api/quick-start/start
Order-Ahead Sample Application

If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.

3

The vulnerability you’re seeing is related to the axios package, which is a dependency of the Square Node.js SDK. This particular vulnerability is a Server-Side Request Forgery (SSRF) vulnerability.

However, it’s important to note that each SDK version is tied to a specific Square API version. An increase in the SDK major version number indicates a breaking change. Therefore, you should test your application before deploying the change to production.

It’s recommended to stay current with the SDK updates and maintain your code. This helps you avoid using deprecated features and retired features, which can break your application in production.

If you’re concerned about this vulnerability, you should consider updating the SDK version in your application to use the new features and security updates. But remember to test your application thoroughly after the update to ensure everything works as expected.

This answer was reviewed by @Bryan-Square.

4

I assume that I’m using the Square NPM package V 37.1.1, which I assume is the latest. That’s the version that NPM is giving me the warning about the Axios version.

This response is not particularly helpful. Let me restate my question in a different way:

Is there any way someone could exploit this vulnerability in my application, since I appear to have no ability to upgrade the Axios version without breaking the Square SDK? Or should I ignore it because that feature of Axios isn’t used by the Square SDK?

5

The risk of someone exploiting the Axios vulnerability in your application depends on the specific vulnerability in question and how Axios is utilized within the Square SDK. Generally, if the vulnerable feature or code path in Axios is not used by the SDK, the risk may be minimal. The teams that maintain the SDKs are aware of these warnings and we still do recommend using the SDK. They can be ignored. :slightly_smiling_face:

1 Like