-
Notifications
You must be signed in to change notification settings - Fork 395
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
newrelic@12.3.0 is vulnerable to CVE-2024-39338 in axios #2525
Comments
Duplicate of #2471. Please update your dependencies. |
We only depend on newrelic, not @newrelic/security-agent, and we are already using the latest version of newrelic. There is no direct way to update @newrelic/security-agent. |
@komolbo Due to the way the semver ranges are defined, a fresh installation of |
Thanks. Got it resolved after deleting the node_modules folder and the package-lock.json file and then doing an npm install. |
Description
CVE-2024-39338 in axios has been resolved in version 1.7.4 of the package. The dependency of newrelic on axios is an indirect one through @newrelic/security-agent. However, the latest version of @newrelic/security-agent is not being picked up in newrelic. I believe changing the version notation for @newrelic/security-agent in the package.config file for newrelic from "^1.3.0" to "^1.5.0" (which uses version 1.7.4 of axios) should resolve the issue.
Expected Behavior
Snyk scan should show newrelic not vulnerable to CVE-2024-39338
The text was updated successfully, but these errors were encountered: