newrelic@12.3.0 is vulnerable to CVE-2024-39338 in axios

[komolbo]

Description

CVE-2024-39338 in axios has been resolved in version 1.7.4 of the package. The dependency of newrelic on axios is an indirect one through @newrelic/security-agent. However, the latest version of @newrelic/security-agent is not being picked up in newrelic. I believe changing the version notation for @newrelic/security-agent in the package.config file for newrelic from "^1.3.0" to "^1.5.0" (which uses version 1.7.4 of axios) should resolve the issue.

Expected Behavior

Snyk scan should show newrelic not vulnerable to CVE-2024-39338

[workato-integration]

https://new-relic.atlassian.net/browse/NR-307557

[jsumners-nr]

Duplicate of #2471.

Please update your dependencies.

[komolbo]

We only depend on newrelic, not @newrelic/security-agent, and we are already using the latest version of newrelic. There is no direct way to update @newrelic/security-agent.

[mrickard]

@komolbo Due to the way the semver ranges are defined, a fresh installation of newrelic will give you an updated version of the included security agent.

[komolbo]

@komolbo Due to the way the semver ranges are defined, a fresh installation of newrelic will give you an updated version of the included security agent.

Thanks. Got it resolved after deleting the node_modules folder and the package-lock.json file and then doing an npm install.