npm audit incorrectly flags a package

npm flags the axios package even though its patched v0.18.1 is used, it still says that 0.19.0 should be used (which is also patched, but with additional changes, whereas 0.18.1 is just the patch).

How can this be resolved? Based on what does it say this?
This is the output of npm audit --json:

"81888": {
      "findings": [
        {
          "version": "0.18.1",
          "paths": [
            "analytics-node>axios"
          ],
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ],
      "id": 81888,
      "created": "2019-05-16T07:33:00.184Z",
      "updated": "2019-07-11T01:00:00Z",
      "deleted": null,
      "title": "Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.",
      "found_by": {
        "name": "nvd"
      },
      "reported_by": {
        "name": "Jfrog-Xray"
      },
      "module_name": "axios",
      "cves": [
        "CVE-2019-10742"
      ],
      "vulnerable_versions": "0.16.2 ≤ Version ≤ 0.19.0-beta.1",
      "patched_versions": "0.19.0",
      "overview": "Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.",
      "recommendation": "Update to version 0.19.0 or later.",
      "references": "https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505,https://github.com/axios/axios/issues/1098,https://github.com/axios/axios/pull/1485",
      "access": "public",
      "severity": "moderate",
      "cwe": "CWE-20",
      "metadata": {
        "module_type": "",
        "exploitability": 0,
        "affected_components": ""
      },
      "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10742"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 1,
      "moderate": 1,
      "high": 0,
      "critical": 0
    },
    "dependencies": 0,
    "devDependencies": 0,
    "optionalDependencies": 0,
    "totalDependencies": 65
  },
  "runId": "3aae7e07-70eb-4722-96ed-176c9e4ee1cd"
}

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.