Hi, we’re including the shapediver sdk in our project through npm, and we’re on version 3.10.0.
We’ve included the dependency in our package.json as “@shapediver/viewer”: “^3.10.0”
This results in the following warning when we run npm audit:
axios 1.0.0 - 1.8.1
Severity: high
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL · CVE-2025-27152 · GitHub Advisory Database · GitHub
fix available vianpm audit fix --force
Will install @shapediver/viewer@1.8.13, which is a breaking change
node_modules/axios
@shapediver/sdk.geometry-api-sdk-core 1.2.1 || >=1.2.3
Depends on vulnerable versions of axios
node_modules/@shapediver/sdk.geometry-api-sdk-core
@shapediver/sdk.geometry-api-sdk-v2 1.3.1 - 1.13.0
Depends on vulnerable versions of @shapediver/sdk.geometry-api-sdk-core
node_modules/@shapediver/sdk.geometry-api-sdk-v2
@shapediver/viewer.creation-control-center.session *
Depends on vulnerable versions of @shapediver/sdk.geometry-api-sdk-v2
Depends on vulnerable versions of @shapediver/viewer.session-engine.session-engineLot’s of repeated references of vulnerable versions of sub dependencies removed for brevity’s sake
Depends on vulnerable versions of @shapediver/viewer.shared.math Depends on vulnerable versions of @shapediver/viewer.shared.node-tree Depends on vulnerable versions of @shapediver/viewer.shared.services Depends on vulnerable versions of @shapediver/viewer.shared.types node_modules/@shapediver/viewer.viewport@shapediver/sdk.sdtf-v1 >=1.3.0
Depends on vulnerable versions of axios
node_modules/@shapediver/sdk.sdtf-v1
This appears to be suggesting to install version 1.8.13 to fix the issue but even if our code worked on that old version, it results in the following security warning:
axios <=0.29.0 || 1.0.0 - 1.8.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - Axios Cross-Site Request Forgery Vulnerability · CVE-2023-45857 · GitHub Advisory Database · GitHub
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL · CVE-2025-27152 · GitHub Advisory Database · GitHub
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL · CVE-2025-27152 · GitHub Advisory Database · GitHub
fix available vianpm audit fix --force
Will install @shapediver/viewer@3.10.0, which is a breaking change
node_modules/@shapediver/sdk.sdtf-v1/node_modules/axios
node_modules/@shapediver/viewer.data-engine.data-engine/node_modules/axiosMore repeated warnings cut out
node_modules/@shapediver/viewer.session-engine.session-engine/node_modules/axios
node_modules/@shapediver/viewer.shared.services/node_modules/axios
node_modules/axios
@shapediver/sdk.geometry-api-sdk-core 1.2.1 || >=1.2.3
Depends on vulnerable versions of axios
node_modules/@shapediver/sdk.geometry-api-sdk-core
@shapediver/sdk.geometry-api-sdk-v2 1.3.1 - 1.13.0
Depends on vulnerable versions of @shapediver/sdk.geometry-api-sdk-core
node_modules/@shapediver/sdk.geometry-api-sdk-v2
@shapediver/sdk.sdtf-v1 1.0.0 || 1.1.1 - 1.2.1
Depends on vulnerable versions of axios
node_modules/@shapediver/sdk.sdtf-v1
Is this something we can fix by forcing the version for sdk.geometry-api-sdk-core?