browser[.min].js file inlines axios

[mjewell]

Even though contentful says it adds a dependency on axios at some version, it actually inlines the dependency into the browser, causing potentially unsafe versions to end up in your final built assets. In our case our lockfile says

contentful@^10.15.0:
  version "10.15.0"
  resolved "https://whatever/repository/npm-all/contentful/-/contentful-10.15.0.tgz#0f8cc2887f583b283f1326357777c4e4a0764c2f"
  integrity sha512-gkkMRf2FK1SQHMs2UKOuIeCdBXQKF/fMzIRCDL038lUScyE6mvnPu8aHrAQuUZwfcd58J0cibqT+iqj+pAVyGA==
  dependencies:
    "@contentful/content-source-maps" "^0.11.0"
    "@contentful/rich-text-types" "^16.0.2"
    axios "^1.7.4"
    contentful-resolve-response "^1.9.0"
    contentful-sdk-core "^8.3.1"
    json-stringify-safe "^5.0.1"
    type-fest "^4.0.0"

axios@^1.7.4, axios@^1.8.4:
  version "1.8.4"
  resolved "https://whatever/repository/npm-all/axios/-/axios-1.8.4.tgz#78990bb4bc63d2cae072952d374835950a82f447"
  integrity sha512-eBSYY4Y68NNlHbHBMdeDmKNtDgXWhQsJcGqzO3iLUM0GraQFSS9cVgPX5I9b3lbdFKyYoAEGAZF1DwhTaljNAw==
  dependencies:
    follow-redirects "^1.15.6"
    form-data "^4.0.0"
    proxy-from-env "^1.1.0"

So we thought we had fixed a security vulnerability that exists at axios<1.7.5, but it turns out we still had axios 1.7.4 being bundled into our application.

You can see this by looking at the installed node_modules/contentful/dist/contentful.browser.js which contains a bunch of axios code like

/***/ "../node_modules/axios/lib/axios.js":
/*!******************************************!*\
  !*** ../node_modules/axios/lib/axios.js ***!
  \******************************************/
/***/ (function(__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) {

I'm guessing this is caused by this line

[mjewell]

To clarify, this issue still exists on the latest version of contentful. Even though axios has been updated, we still end up serving it twice