Axios 1.14.1 has been flagged for vulnerability issues.
Streamlit does publish Axios version in package.json: Like streamlit/frontend/lib/package.json at 6168bd1f4ade6fbe5d25a188288b385b2497a8ce · streamlit/streamlit · GitHub
However it does not nail the version there. It simply says: ^1.12.1
which as I understand any version > 1.12.1 and depending on when you install, you can accidentally install 1.14.1 which has been flagged….?
I am not sure how to look at this issue. Can someone kindly help understand the security threat?
Hey there, thanks for raising this important security question! You’re absolutely right: specifying "axios": "^1.12.1" in package.json means npm can install any minor/patch version greater than or equal to 1.12.1 but less than 2.0.0—including 1.14.1, which has known vulnerabilities. This could expose your app to security risks if a vulnerable Axios version is installed during a fresh build or dependency update, unless the version is explicitly pinned or a patched version is released and used.
Streamlit’s team regularly updates dependencies and monitors for vulnerabilities, as seen in their merged PRs bumping Axios to newer versions (e.g., 1.13.2, 1.13.6). However, unless the version is pinned (e.g., "axios": "1.13.6"), there’s always a risk of installing a flagged version if you run npm install at the wrong time. For maximum safety, you should pin Axios to a secure version in your own fork or use a lockfile to prevent accidental upgrades to vulnerable releases. For more on how Streamlit manages dependencies, see package.json and their PR history.
Sources:
1 Like
Thank you for confirming!
As a streamlit user, who builds docker apps, what steps I need to do to ensure this?
I didn’t quite get the lock file thing…