Hi Streamlit Team,
I wanted to reach out to raise a query (and potential concern) about a recent discovery when upgrading Streamlit to version 1.37.
During an internal security review, we identified that Streamlit 1.37’s frontend bundle (the main.[hash].js file served under /static/js/) includes Axios.
Out of an abundance of caution, we’ve been investigating this further because Axios v1.6.8 (which was flagged in a separate orphaned file still served on our Render-hosted domain) is known to have a vulnerability (CVE-2024-39338). While we understand that orphaned file is unrelated to Streamlit itself, the discovery of Axios bundled within Streamlit’s official frontend raised some questions:
Our Questions:
- Can you confirm if Axios is now intentionally included as part of Streamlit’s frontend in version 1.37?
- If so, can you clarify which version of Axios is bundled?
- Is Axios used internally for Streamlit’s own frontend operations, or is it included for future extensibility/compatibility?
- Has any security review been undertaken in relation to Axios being bundled (given the recent vulnerability in v1.6.8)?
We’re asking to better understand if this is expected behaviour, and if there are any risks or upcoming patches we should be aware of.
More than happy to share detailed findings or files if helpful.
Thank you so much for the amazing work you continue to do with Streamlit! We love working with the platform and appreciate your support.