Dependency Security: Axios Cross-Site Request Forgery Vulnerability

[roninCode]

There is a Axios Cross-Site Request Forgery Vulnerability dependency in the @analytics/segment plugin.

Dependabot is stating: @analytics/segment@1.1.3 requires axios@^0.21.1 via a transitive dependency on analytics-node@3.5.0
(https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/package.json#L56)

Looks like analytics-node is a deprecated repo with no more support.

analytics-node suggests using this repo instead: https://github.com/segmentio/analytics-next/tree/master/packages/node#readme

Any way you can replace analytics-node with analytics-next?

[DavidWells]

Axios is just making calls directly to segment https://github.com/segmentio/analytics-node/blob/master/index.js#L303 I don't think this security warning will have any impact on you.

If you are just using segment in the browser you can completely ignore the warning as axios is only used serverside in node.

I won't be updating the node package anytime soon but am ppen to PRs to refactor https://github.com/DavidWells/analytics/blob/master/packages/analytics-plugin-segment/src/node.js to the latest version of the segment node package. https://segment.com/docs/connections/sources/catalog/libraries/server/node/migration/