I have a nuxt project and I was trying to install nuxt auth but every time I install this package, it appears this Axios Cross-Site Request Forgery Vulnerability. This is my package.json file:
{
"name": "nuxt-app",
"private": true,
"type": "module",
"scripts": {
"build": "nuxt build",
"dev": "nuxt dev",
"generate": "nuxt generate",
"preview": "nuxt preview",
"postinstall": "nuxt prepare"
},
"dependencies": {
"@mdi/font": "^7.4.47",
"@nuxtjs/auth-next": "^5.0.0-1667386184.dfbbb54",
"axios": "^1.6.8",
"nuxt": "^3.10.3",
"vue": "^3.4.21",
"vue-router": "^4.3.0"
},
"devDependencies": {
"sass": "^1.71.1",
"vite-plugin-vuetify": "^2.0.3",
"vuetify": "^3.5.9"
}
}
I have searched online for a way to fix and I found out that a solution for this problem is to install an axios version >= 1.6.0. So I installed the latest axios version but the problem persists. I checked if the version installed is above or equal to 1.6.0 and it is in the package.json file and by entering the following command: npm list. I also tried to install in a different computer and I deleted the package-lock.json and the node_modules folder and then installing again all dependencies but both approaches did not work. Also I tried to run the command npm audit fix --force but it did not work. What am I missing?
NPM audit report refers to this vulnerability.
The correct command to list nested axios dependencies is npm list axios. It shows that both @nuxtjs/auth-next and @nuxtjs/axios have dependencies on Axios 0.x:
+-- @nuxtjs/[email protected]
| +-- @nuxtjs/[email protected]
| | `-- [email protected]
| `-- [email protected]
+-- [email protected]
`-- [email protected]
`-- @nuxt/[email protected]
`-- @vue/[email protected]
`-- @vue/[email protected]
`-- @vueuse/[email protected]
`-- [email protected] deduped
The intention is to dedupe nested axios dependencies to project's [email protected].
This requires to add overrides section to package.json:
"overrides": {
"@nuxtjs/auth-next": {
"axios": "$axios",
"@nuxtjs/axios": {
"axios": "$axios"
}
}
}
And completely reinstall the dependencies by removing package-lock.json and node_modules and running npm i. The outcome is that the output of npm list axios should be:
+-- @nuxtjs/[email protected] overridden
| +-- @nuxtjs/[email protected] overridden
| | `-- [email protected] deduped <--
| `-- [email protected] deduped <--
+-- [email protected]
`-- [email protected]
`-- @nuxt/[email protected]
`-- @vue/[email protected]
`-- @vue/[email protected]
`-- @vueuse/[email protected]
`-- [email protected] deduped
Overriding the dependencies with incompatible version contains a certain risk. Whether doing this won't have negative impact on the work of the package still needs to be verified.