New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update axios dependency to latest version #540
Conversation
@rastorc3v @KuSh What's preventing this PR from getting merged? This is causing all kinds of alarms to go off where I work: Anything the community can do to help?
|
Maybe needs approval from @ejizba or @hossam-nasr? Thx in advance. |
This is exactly why I made a PR. I'm also waiting to be able to shut those alarms. |
Hi folks, thanks for the ping. We've discussed this internally but haven't posted here. The main blocker is that axios was upgraded across major versions without a discussion of the breaking changes. We plan to update axios, but not until after we fully analyze/test the impact of the breaking changes. In addition, this vulnerability is a false positive for the durable package. There's a few reasons for this, but one reason is that this vulnerability only applies if using I do want to apologize for the delay on this. I understand how annoying these security alerts can be and I get that people often don't care if it's a false positive or not. If this was a minor or patch update we would've already done it, but because it's a major version update we have to be more careful. I'm skeptical this will be fixed this month around the holidays, but I'm optimistic we'll get it fixed early in the new year. |
Thanks for the update @ejizba. Appreciate all your hard work on the project, hopefully your message will placate those whose job function involves risk management for these kinds of things. |
Can we bump this to 1.6.5? |
Apologies for the delay here. We'll look to correct this warning by our next release, which should happen in the next few weeks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not find any potential issues with this update. Everything seems to work as expected.
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
Fixes CVE-2023-45857