We ran yarn why axios to determine why axios is installed and which packages depend on it. The output revealed that axios is a dependency of Package A, which is listed under the dependencies section of the current project's package.json. This means axios is indirectly included via Package A.

To address the vulnerability in axios, we need to:

Upgrade axios in Package A, since it directly includes the vulnerable version.
Upgrade Package A in the current project to the version that includes the patched axios.
Verify that both Package A and any direct use of axios in the project (if applicable) now rely on the secure, updated version.

This ensures the vulnerability is fully resolved throughout the dependency tree.

Step-by-step guide

In the project A

Upgrade axios in Project A, then release a new version of Project A that includes the updated axios.

In the current project

1. Upgrade to the latest version of `Package A` by running:

yarn upgrade A --latest

2. Delete the `/node_modules` folder to ensure a clean install

3. Reinstall all dependencies by running:

yarn install

4. Verify that both `Package A` and `axios` have been upgraded in the `yarn.lock` file

5. Run unit tests to ensure functionality is correct:

"scripts": {

    ...

    "test": "jest",

    ...

yarn test

6. Build the project to ensure there are no build-time errors:

In package.json

"scripts": {

    ...

    "build": "next build",

    ...

Run the command

yarn build

Make sure both commands complete successfully without any errors.

7. Run Trivy to see if the security issue has resolved

trivy fs .

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.

Resources

Backgournd