fix(security): address CVE-2021-3749 - axios >=0.22.0

Ensured that axios is updated to >=0.22.0 in all packages that use it. The only place where it was not possible to upgrade it through upgrading transitive dependencies was the ubiquity connector package so for that one I forced the issue through the resolutions section of the root package.json. ----------------------------------------------- The GitHub Cacti security advisory: https://github.com/hyperledger/cacti/security/dependabot/361 The general GitHub security advisory: GHSA-cph5-m8f7-6c5x Weaknesses - [WeaknessCWE-400](https://cwe.mitre.org/data/definitions/400.html) - [WeaknessCWE-1333](https://cwe.mitre.org/data/definitions/1333.html) CVE ID: `CVE-2021-3749` GHSA ID: `GHSA-cph5-m8f7-6c5x` Fixes hyperledger#2790 [skip ci] Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz · Oct 13, 2023 · 1eb0017 · 1eb0017
1 parent a04fc5b
commit 1eb0017
Show file tree

Hide file tree

Showing 39 changed files with 185 additions and 426 deletions.
diff --git a/examples/cactus-example-carbon-accounting-business-logic-plugin/package.json b/examples/cactus-example-carbon-accounting-business-logic-plugin/package.json
@@ -64,7 +64,7 @@
     "@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-xdai": "2.0.0-alpha.2",
     "async-exit-hook": "2.0.1",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.1",
     "openapi-types": "9.1.0",
     "typescript-optional": "2.0.1",

diff --git a/examples/cactus-example-cbdc-bridging-backend/package.json b/examples/cactus-example-cbdc-bridging-backend/package.json
@@ -70,7 +70,7 @@
     "@openzeppelin/contracts": "4.9.3",
     "@openzeppelin/contracts-upgradeable": "4.9.3",
     "async-exit-hook": "2.0.1",
-    "axios": "^0.27.2",
+    "axios": "1.5.1",
     "crypto-js": "4.1.1",
     "dotenv": "^16.0.1",
     "fabric-network": "2.2.10",

diff --git a/examples/cactus-example-discounted-asset-trade/package.json b/examples/cactus-example-discounted-asset-trade/package.json
@@ -23,7 +23,7 @@
     "@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-alpha.2",
     "@hyperledger/cactus-verifier-client": "2.0.0-alpha.2",
     "@types/node": "14.18.54",
-    "axios": "0.24.0",
+    "axios": "1.5.1",
     "body-parser": "1.19.2",
     "cookie-parser": "1.4.6",
     "debug": "3.1.0",

diff --git a/examples/cactus-example-supply-chain-backend/package.json b/examples/cactus-example-supply-chain-backend/package.json
@@ -64,7 +64,7 @@
     "@hyperledger/cactus-plugin-ledger-connector-quorum": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
     "async-exit-hook": "2.0.1",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "dotenv": "16.0.0",
     "express": "4.17.3",
     "express-jwt": "8.4.1",

diff --git a/examples/cactus-example-supply-chain-business-logic-plugin/package.json b/examples/cactus-example-supply-chain-business-logic-plugin/package.json
@@ -65,7 +65,7 @@
     "@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-quorum": "2.0.0-alpha.2",
     "async-exit-hook": "2.0.1",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.3",
     "openapi-types": "9.1.0",
     "typescript-optional": "2.0.1",

diff --git a/extensions/cactus-plugin-htlc-coordinator-besu/package.json b/extensions/cactus-plugin-htlc-coordinator-besu/package.json
@@ -64,7 +64,7 @@
     "@hyperledger/cactus-plugin-htlc-eth-besu-erc20": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-plugin-htlc-eth-besu-erc20": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "body-parser": "1.19.0",
     "fast-safe-stringify": "2.1.1",
     "joi": "14.3.1",

diff --git a/extensions/cactus-plugin-object-store-ipfs/package.json b/extensions/cactus-plugin-object-store-ipfs/package.json
@@ -58,7 +58,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "ipfs-http-client": "51.0.1",
     "run-time-error": "1.4.0",
     "typescript-optional": "2.0.1",

diff --git a/package.json b/package.json
@@ -78,6 +78,7 @@
   },
   "resolutions": {
     "ansi-html": ">0.0.8",
+    "axios": ">=0.22.0",
     "glob-parent": "5.1.2",
     "lodash": ">=4.17.21",
     "minimist": ">=1.2.6",

diff --git a/packages/cactus-cmd-api-server/package.json b/packages/cactus-cmd-api-server/package.json
@@ -65,7 +65,7 @@
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
     "@thream/socketio-jwt": "2.1.1",
     "async-exit-hook": "2.0.1",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "bluebird": "3.7.2",
     "body-parser": "1.20.1",
     "compression": "1.7.4",

diff --git a/packages/cactus-core-api/package.json b/packages/cactus-core-api/package.json
@@ -60,7 +60,7 @@
   },
   "dependencies": {
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
-    "axios": "0.21.4"
+    "axios": "1.5.1"
   },
   "devDependencies": {
     "@grpc/grpc-js": "1.9.0",

diff --git a/packages/cactus-plugin-consortium-manual/package.json b/packages/cactus-plugin-consortium-manual/package.json
@@ -58,7 +58,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "body-parser": "1.19.0",
     "express": "4.17.3",
     "jose": "4.9.2",

diff --git a/packages/cactus-plugin-htlc-eth-besu-erc20/package.json b/packages/cactus-plugin-htlc-eth-besu-erc20/package.json
@@ -64,7 +64,7 @@
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.1",
     "joi": "17.9.1",
     "openapi-types": "9.1.0",

diff --git a/packages/cactus-plugin-htlc-eth-besu/package.json b/packages/cactus-plugin-htlc-eth-besu/package.json
@@ -72,7 +72,7 @@
     "@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "bn.js": "5.2.1",
     "dotenv": "16.0.3",
     "ethers": "6.3.0",

diff --git a/packages/cactus-plugin-keychain-aws-sm/package.json b/packages/cactus-plugin-keychain-aws-sm/package.json
@@ -59,7 +59,7 @@
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
     "aws-sdk": "2.965.0",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "http-status-codes": "2.1.4",
     "prom-client": "13.2.0",
     "typescript-optional": "2.0.1"

diff --git a/packages/cactus-plugin-keychain-azure-kv/package.json b/packages/cactus-plugin-keychain-azure-kv/package.json
@@ -60,12 +60,12 @@
     "webpack:dev:web": "webpack --env=dev --target=web --config ../../webpack.config.js"
   },
   "dependencies": {
-    "@azure/identity": "1.5.0",
+    "@azure/identity": "3.3.1",
     "@azure/keyvault-secrets": "4.3.0",
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "http-status-codes": "2.1.4",
     "typescript-optional": "2.0.1"
   },

diff --git a/packages/cactus-plugin-keychain-google-sm/package.json b/packages/cactus-plugin-keychain-google-sm/package.json
@@ -59,7 +59,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "http-status-codes": "2.1.4",
     "typescript-optional": "2.0.1"
   },

diff --git a/packages/cactus-plugin-keychain-memory-wasm/package.json b/packages/cactus-plugin-keychain-memory-wasm/package.json
@@ -63,7 +63,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.1",
     "prom-client": "13.2.0",
     "uuid": "8.3.2"

diff --git a/packages/cactus-plugin-keychain-memory/package.json b/packages/cactus-plugin-keychain-memory/package.json
@@ -58,7 +58,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.3",
     "prom-client": "13.2.0",
     "uuid": "8.3.2"

diff --git a/packages/cactus-plugin-keychain-vault/package.json b/packages/cactus-plugin-keychain-vault/package.json
@@ -58,7 +58,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "http-status-codes": "2.1.4",
     "node-vault": "0.9.22",
     "prom-client": "13.2.0",

diff --git a/packages/cactus-plugin-ledger-connector-besu/package.json b/packages/cactus-plugin-ledger-connector-besu/package.json
@@ -57,7 +57,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.3",
     "joi": "17.9.1",
     "openapi-types": "9.1.0",

diff --git a/packages/cactus-plugin-ledger-connector-cdl-socketio/package.json b/packages/cactus-plugin-ledger-connector-cdl-socketio/package.json
@@ -50,7 +50,7 @@
     "start": "node ./dist/lib/main/typescript/common/core/bin/www.js"
   },
   "dependencies": {
-    "axios": "0.27.2",
+    "axios": "1.5.1",
     "body-parser": "1.20.2",
     "config": "3.3.7",
     "cookie-parser": "1.4.6",

diff --git a/packages/cactus-plugin-ledger-connector-corda/package.json b/packages/cactus-plugin-ledger-connector-corda/package.json
@@ -59,7 +59,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express-openapi-validator": "5.0.4",
     "internal-ip": "6.2.0",
     "joi": "17.9.1",

diff --git a/packages/cactus-plugin-ledger-connector-ethereum/package.json b/packages/cactus-plugin-ledger-connector-ethereum/package.json
@@ -66,7 +66,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.3",
     "minimist": "1.2.8",
     "prom-client": "13.2.0",

diff --git a/packages/cactus-plugin-ledger-connector-fabric/package.json b/packages/cactus-plugin-ledger-connector-fabric/package.json
@@ -59,7 +59,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "bl": "5.0.0",
     "bn.js": "4.12.0",
     "express": "4.17.3",

diff --git a/packages/cactus-plugin-ledger-connector-iroha/package.json b/packages/cactus-plugin-ledger-connector-iroha/package.json
@@ -59,7 +59,7 @@
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
     "@types/google-protobuf": "3.15.5",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.1",
     "fast-safe-stringify": "2.1.1",
     "grpc": "1.24.11",

diff --git a/packages/cactus-plugin-ledger-connector-quorum/package.json b/packages/cactus-plugin-ledger-connector-quorum/package.json
@@ -60,7 +60,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.3",
     "minimist": "1.2.8",
     "prom-client": "13.2.0",

diff --git a/packages/cactus-plugin-ledger-connector-xdai/package.json b/packages/cactus-plugin-ledger-connector-xdai/package.json
@@ -57,7 +57,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.1",
     "joi": "17.9.1",
     "openapi-types": "9.1.0",

diff --git a/packages/cactus-plugin-odap-hermes/package.json b/packages/cactus-plugin-odap-hermes/package.json
@@ -57,7 +57,7 @@
     "@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-object-store-ipfs": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "crypto-js": "4.0.0",
     "knex": "2.4.0",
     "secp256k1": "4.0.3",

diff --git a/packages/cactus-plugin-persistence-ethereum/package.json b/packages/cactus-plugin-persistence-ethereum/package.json
@@ -73,7 +73,7 @@
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-go-ethereum-socketio": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
-    "@openapitools/openapi-generator-cli": "2.4.14",
+    "@openapitools/openapi-generator-cli": "2.7.0",
     "@types/express": "4.17.13",
     "@types/pg": "8.6.5",
     "@types/sanitize-html": "2.9.0",

diff --git a/packages/cactus-plugin-persistence-fabric/package.json b/packages/cactus-plugin-persistence-fabric/package.json
@@ -72,7 +72,7 @@
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "fabric-protos": "2.2.18",
     "js-sha256": "0.9.0",
     "pg": "8.8.0",

diff --git a/packages/cactus-test-plugin-consortium-manual/package.json b/packages/cactus-test-plugin-consortium-manual/package.json
@@ -56,7 +56,7 @@
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-consortium-manual": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "jose": "4.9.2"
   },
   "engines": {

diff --git a/packages/cactus-test-plugin-htlc-eth-besu-erc20/package.json b/packages/cactus-test-plugin-htlc-eth-besu-erc20/package.json
@@ -58,7 +58,7 @@
     "@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.17.1",
     "web3-eth-abi": "4.0.3",
     "web3-utils": "4.0.3"

diff --git a/packages/cactus-test-plugin-htlc-eth-besu/package.json b/packages/cactus-test-plugin-htlc-eth-besu/package.json
@@ -58,7 +58,7 @@
     "@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "key-encoder": "2.0.3",
     "web3": "1.6.1",
     "web3js-quorum": "22.4.0"

diff --git a/packages/cactus-test-tooling/package.json b/packages/cactus-test-tooling/package.json
@@ -61,7 +61,7 @@
   },
   "dependencies": {
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "compare-versions": "3.6.0",
     "dockerode": "3.3.0",
     "elliptic": "6.5.4",

diff --git a/weaver/samples/besu/besu-cli/package-local.json b/weaver/samples/besu/besu-cli/package-local.json
@@ -34,7 +34,7 @@
     "@hyperledger/cacti-weaver-sdk-besu": "file:../../../sdks/besu/node",
     "@hyperledger/cacti-weaver-protos-js": "file:../../../common/protos-js",
     "@truffle/contract": "4.2.14",
-    "gluegun": "5.1.3",
+    "gluegun": "5.1.6",
     "winston": "3.3.3"
   },
   "devDependencies": {

diff --git a/weaver/samples/besu/besu-cli/package.json b/weaver/samples/besu/besu-cli/package.json
@@ -41,7 +41,7 @@
     "@hyperledger/cacti-weaver-protos-js": "2.0.0-alpha.2",
     "@hyperledger/cacti-weaver-sdk-besu": "2.0.0-alpha.2",
     "@truffle/contract": "4.6.28",
-    "gluegun": "5.1.3",
+    "gluegun": "5.1.6",
     "winston": "3.10.0"
   },
   "devDependencies": {

diff --git a/weaver/samples/fabric/fabric-cli/package-local.json b/weaver/samples/fabric/fabric-cli/package-local.json
@@ -42,7 +42,7 @@
     "express": "4.18.2",
     "fabric-ca-client": "2.2.18",
     "fabric-network": "2.2.18",
-    "gluegun": "5.1.3",
+    "gluegun": "5.1.6",
     "grpc-tools": "1.12.4",
     "ini": "1.3.8",
     "node-notifier": "8.0.2",

diff --git a/weaver/samples/fabric/fabric-cli/package.json b/weaver/samples/fabric/fabric-cli/package.json
@@ -50,7 +50,7 @@
     "express": "4.18.2",
     "fabric-ca-client": "2.2.18",
     "fabric-network": "2.2.18",
-    "gluegun": "5.1.3",
+    "gluegun": "5.1.6",
     "grpc-tools": "1.12.4",
     "ini": "1.3.8",
     "node-notifier": "8.0.2",