Security Vulnerability: axios dependency needs update

[thedinosoar]

Our app uses the latest storybook-zeplin package (3.0.0 as of now), which relies on the @zeplin/sdk v1.9.0, which uses a very old version of axios with a high Server-side Request Forgery (SSRF) 8.8 level vulnerability (https://security.snyk.io/vuln/SNYK-JS-AXIOS-7361793).

Please update the axios dependency to a non-vulnerable version (e.g., axios@1.9.0 or later - please verify the latest secure version).

[aykutbulca]

Thank you for flagging this.

You're absolutely right — earlier versions of @zeplin/sdk relied on an outdated version of axios that was affected by a known SSRF vulnerability (SNYK-JS-AXIOS-7361793).

We actually addressed this issue a few months ago by updating the axios dependency, but due to a CI failure, the fix wasn’t published at the time. This has now been resolved, and the latest version of @zeplin/sdk (v1.28.0) includes the updated, secure axios (v1.6.7 or later, depending on your lockfile).

Please update to @zeplin/sdk@1.28.0 and let us know if you run into any issues or need further assistance.

[thedinosoar]

@aykutbulca It looks like since @zeplin/sdk v1.28.0 only uses axios v1.6.7, it is still affected by this vulnerability. The CVE states that the vulnerable versions are >=1.3.2 <1.7.4

For our project we just had to override the version of axios this package uses, which isn't ideal, so figured it'd be easier to just make a PR #12

[aykutbulca]

The package.json specifies "axios": "^1.6.8", and because of how the caret (^) works, it allows both minor and patch updates, up to (but not including) 2.0.0. Since axios has released versions beyond, npm resolves the dependency to 1.8.3 in the package-lock.json, which is outside the affected range.

As a result, npm audit reports 0 vulnerabilities when using the latest version of the @zeplin/sdk package.

If you're seeing different behavior, make sure you're using the latest version of @zeplin/sdk and that your lockfile is up to date.

[thedinosoar]

Oh I see, thank you for pointing that out. I'll close this issue now. Updating my package lock fixed it for me.

Out of curiosity, is there a reason to not change axios' version to the latest and make a new release for this package? Is it just to avoid breaking dependents?

[aykutbulca]

There is no specific reason—I just re-triggered the failed CI job from a few months ago and wanted to note that the issue was already resolved after that.

We’ll likely bump the axios version in the next release, as there’s no blocker for doing so. Thanks again for bringing this to our attention!