Axios vulnerability detected when installing @nuxtjs/auth-next

Question

I have a nuxt project and I was trying to install nuxt auth but every time I install this package, it appears this Axios Cross-Site Request Forgery Vulnerability. This is my package.json file:

{
  "name": "nuxt-app",
  "private": true,
  "type": "module",
  "scripts": {
    "build": "nuxt build",
    "dev": "nuxt dev",
    "generate": "nuxt generate",
    "preview": "nuxt preview",
    "postinstall": "nuxt prepare"
  },
  "dependencies": {
    "@mdi/font": "^7.4.47",
    "@nuxtjs/auth-next": "^5.0.0-1667386184.dfbbb54",
    "axios": "^1.6.8",
    "nuxt": "^3.10.3",
    "vue": "^3.4.21",
    "vue-router": "^4.3.0"
  },
  "devDependencies": {
    "sass": "^1.71.1",
    "vite-plugin-vuetify": "^2.0.3",
    "vuetify": "^3.5.9"
  }
}

I have searched online for a way to fix and I found out that a solution for this problem is to install an axios version >= 1.6.0. So I installed the latest axios version but the problem persists. I checked if the version installed is above or equal to 1.6.0 and it is in the package.json file and by entering the following command: npm list. I also tried to install in a different computer and I deleted the package-lock.json and the node_modules folder and then installing again all dependencies but both approaches did not work. Also I tried to run the command npm audit fix --force but it did not work. What am I missing?

Answer 1

NPM audit report refers to this vulnerability.

The correct command to list nested axios dependencies is npm list axios. It shows that both @nuxtjs/auth-next and @nuxtjs/axios have dependencies on Axios 0.x:

+-- @nuxtjs/auth-next@5.0.0-1667386184.dfbbb54
| +-- @nuxtjs/axios@5.13.6
| | `-- axios@0.21.4
| `-- axios@0.26.1
+-- axios@1.6.8
`-- nuxt@3.11.2
  `-- @nuxt/devtools@1.1.5
    `-- @vue/devtools-applet@7.0.25
      `-- @vue/devtools-ui@7.0.25
        `-- @vueuse/integrations@10.9.0
          `-- axios@1.6.8 deduped

The intention is to dedupe nested axios dependencies to project's axios@1.6.8.

This requires to add overrides section to package.json:

  "overrides": {
    "@nuxtjs/auth-next": {
      "axios": "$axios",
      "@nuxtjs/axios": {
        "axios": "$axios"
      }
    }
  }

And completely reinstall the dependencies by removing package-lock.json and node_modules and running npm i. The outcome is that the output of npm list axios should be:

+-- @nuxtjs/auth-next@5.0.0-1667386184.dfbbb54 overridden
| +-- @nuxtjs/axios@5.13.6 overridden
| | `-- axios@1.6.8 deduped <--
| `-- axios@1.6.8 deduped <--
+-- axios@1.6.8
`-- nuxt@3.11.2
  `-- @nuxt/devtools@1.1.5
    `-- @vue/devtools-applet@7.0.25
      `-- @vue/devtools-ui@7.0.25
        `-- @vueuse/integrations@10.9.0
          `-- axios@1.6.8 deduped

Overriding the dependencies with incompatible version contains a certain risk. Whether doing this won't have negative impact on the work of the package still needs to be verified.