axios 1.8.2 has the high OSS vulnerability

[mahaveer-bh]

HI team regards to the axios-1.8.2 latest build has the OSS high security vulnerability when we scanned through blackduck, need your inputs here.

[FenPWysocki]

[mihaxor]

It seams that the latest version does not have the parameter allowAbsoluteUrls in the AxiosRequestConfig for setting the value.

[aykutbulca]

I think allowAbsoluteUrls should be defaulted to false for this vulnerability to be resolved and for versions >= v1.8.0 to be considered breaking. With the current implementation, it behaves the same as the previous versions, if I'm not missing anything.

[Fnu-DevX]

Yes, the allowAbsoluteUrls parameter is not part of AxiosRequestConfig. It is used internally in axios/lib/adapters/http.js to call buildFullPath in axios/lib/core/buildFullPath.js. Modifying its value to false is complex due to how it's integrated into the configuration.

I tried setting it to false, as they suggested in issue 6816 #6816

but I'm facing issues in the test cases, and mocking this behavior is quite challenging. The error message I'm seeing is:

TypeError: URL is not a constructor

javascript
Copy

1 | import axios, {
| ^
2 | AxiosProgressEvent,

This seems related to how Axios internally constructs URLs, and mocking this will likely require additional adjustments.

[mihaxor]

the problem has been solved in the current release version 1.8.3:

• https://github.com/axios/axios/releases/tag/v1.8.3

• 10fa70e

[jasonsaayman]

closing because 1.8.3. fixes this