[3.0.2] Vulnerable dependencies axios and dexie #363
Description
According to GitHub Dependabot, used versions of axios and dexie are vulnerable
Lines 154 to 155 in 6a50dc5
Dexie:
Affected versions: < 3.2.2
Patched version: 3.2.2
Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.
Axios:
Affected versions: >= 0.8.1, < 1.6.0
Patched version: 1.6.0
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Please upgrade these dependencies.