Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Depends on vulnerable version of axios #445

Closed
mtl1979 opened this issue Nov 14, 2023 · 8 comments
Closed

Depends on vulnerable version of axios #445

mtl1979 opened this issue Nov 14, 2023 · 8 comments

Comments

@mtl1979
Copy link

mtl1979 commented Nov 14, 2023 

Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/tronweb/node_modules/axios
  tronweb  *
  Depends on vulnerable versions of axios
  node_modules/tronweb
@svein1010
Copy link

Thanks a lot! We will update the axios soon.

@Ponnar-Evvo
Copy link

Ponnar-Evvo commented Dec 3, 2023
edited
Loading

@mtl1979 @svein1010. Issue is resolve?. Still we got same error.

@mtl1979
Copy link
Author

mtl1979 commented Dec 3, 2023

@mtl1979 @svein1010. Issue is resolve?. Still we got same error.

I don't see a new release with the fix included yet...

@start940315
Copy link
Contributor

updated in TronWeb v6.0.0-beta.0. Welcome to try.

@mtl1979
Copy link
Author

mtl1979 commented Dec 7, 2023

It's quite obvious some developers refuse to use TypeScript as it will make the existing JavaScript code less readable and require substantial rewrite, thus the code needs to be thoroughly retested on testnet. Same happened when web3js switched to TypeScript in 4.x series...

Callback functions are essential in asynchronous programs that depend on proper sequential order of executing methods. There is no guarantee that promises are executed in sequential order. This for example can cause nonces of transaction being out of order or program getting same nonce over and over, causing sending transactions to fail if too many transactions (sometimes just more than one) are unconfirmed concurrently.

@start940315
Copy link
Contributor

It's quite obvious some developers refuse to use TypeScript as it will make the existing JavaScript code less readable and require substantial rewrite, thus the code needs to be thoroughly retested on testnet. Same happened when web3js switched to TypeScript in 4.x series...

Callback functions are essential in asynchronous programs that depend on proper sequential order of executing methods. There is no guarantee that promises are executed in sequential order. This for example can cause nonces of transaction being out of order or program getting same nonce over and over, causing sending transactions to fail if too many transactions (sometimes just more than one) are unconfirmed concurrently.

Please accept that typescript is so popular now. And we are going to pay more attention on it. Though you may see TronWeb v5.3.2 in the future and it may fix the problem, you can still try to rewrite you code and take advantage of promise and typescript.

@mtl1979
Copy link
Author

mtl1979 commented Dec 16, 2023

Please accept that typescript is so popular now. And we are going to pay more attention on it. Though you may see TronWeb v5.3.2 in the future and it may fix the problem, you can still try to rewrite you code and take advantage of promise and typescript.

Forcing people to rewrite production code is not even an option. Canonical tried to force people to move from Ubuntu 18.04 to more recent versions and ended up breaking so many applications that some companies still refuse to upgrade their production servers to more recent versions. Even for Ubuntu 18.04 to work correctly, people had to downgrade gcc to 6.5, because gcc 7.5 couldn't even run on their machines.

@start940315
Copy link
Contributor

I figure out what you mean. Please wait for TronWeb v5.3.2. It will solve the problem.

@OKEAMAH OKEAMAH mentioned this issue May 27, 2024
Open
@OKEAMAH OKEAMAH mentioned this issue Aug 2, 2024
Open
@OKEAMAH OKEAMAH mentioned this issue Aug 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@start940315 @mtl1979 @svein1010 @Ponnar-Evvo