We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Current @slack/bolt@3.14.0 is using axios@0.27.2. There is Cross-site Request Forgery (CSRF) vulnerability on version 1.5 and lower.
Axios version should be upgraded to 1.6.0 to address CVE-2023-45857
The text was updated successfully, but these errors were encountered:
Note that the vulnerability is limited to CSRF only. The only instance we use axios in bolt is for creating a helper utility method to respond to events with a message from a Slack-server-pushed event. I do not believe CSRF is a viable vector of attack in this situation.
That said, makes sense to update the dependency. Will take a look at the relevant PR (#1986).
Sorry, something went wrong.
Resolved in #1986.
No branches or pull requests
Current @slack/bolt@3.14.0 is using axios@0.27.2. There is Cross-site Request Forgery (CSRF) vulnerability on version 1.5 and lower.
Requirements
Axios version should be upgraded to 1.6.0 to address CVE-2023-45857
The text was updated successfully, but these errors were encountered: