New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency axios to v1 [SECURITY] #3343
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Really glad to have dependency checks for the frontend now!
Size Change: +16.8 kB (+2%) Total Size: 973 kB
ℹ️ View Unchanged
|
Ah, thank goodness for CI. There's a build failure. Looking at it now. |
I've got a fix for the runtime error coming as well, just testing it fully locally. |
This should work... 🤞 |
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠ Warning: custom changes will be lost. |
Full-stack documentation: https://docs.openverse.org/_preview/3343 Please note that GitHub pages takes a little time to deploy newly pushed code, if the links above don't work or you see old versions, wait 5 minutes and try again. You can check the GitHub pages deployment action list to see the current status of the deployments. |
The first request in the API token test cases is always with undefined URL. I cannot figure out why that is happening, and can't figure out if it's somehow related to |
There's a fix involving A similar issue in the We could consider moving from axios-mock-adapter to https://github.com/knee-cola/jest-mock-axios, which seems to be more frequently updated. |
Oh! We can just await the mock adapter function then? The fixes you're mentioning are for getting jest to not complain about the axios compilation errors, right? I came across similar ones. The only one that worked is the one I applied in 78c84c3 Good find about the promise though... let me see what I can do there. Edit: Never mind, I see the linked SO answer is different. It got me digging into Axios mock adapter and I found out the issue has to do with the import of Axios mock adapter accidentally being axios itself due to too-loose a setting in The latest commit should fix everything 🤞 |
41b6c30
to
a03462f
Compare
@@ -22,7 +23,7 @@ module.exports = { | |||
"^.+\\.svg$": "<rootDir>/test/unit/svg-transform.js", | |||
}, | |||
testPathIgnorePatterns: ["/playwright/", "/storybook/", ".remake"], | |||
collectCoverage: true, | |||
collectCoverage: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm setting this to false because (a) it's profoundly annoying to deal with locally when running a single test, your console gets flooded with coverage information and (b) we literally do not use this coverage information anywhere at the moment.
@obulat Ready for review here. |
@@ -12,7 +12,7 @@ module.exports = { | |||
"^~~/(.*)$": "<rootDir>/$1", | |||
"^vue$": "vue/dist/vue.common.js", | |||
"(.*svg)(\\?inline)$": "<rootDir>/test/unit/test-utils/svgTransform.js", | |||
axios: "axios/dist/node/axios.cjs", | |||
"^axios$": "axios/dist/node/axios.cjs", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, this is so....unexpected! I spent a lot of time trying to figure out the fix, but I would never think of looking into this import! Thank you for finding the fix, @sarayourfriend!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It all came down to attaching a debugger and noticing that new AxiosMockAdapter
raised an error in the debug console and then inspecting the imported object and realising "oh... that's Axios!" and then I noticed that the keys here are regexes. I actually did a 🤦 when I realised what a mistake I'd made 😅
Closes #2299
This PR contains the following updates:
^0.27.0
->^1.0.0
GitHub Vulnerability Alerts
CVE-2023-45857
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Release Notes
axios/axios (axios)
v1.6.0
Compare Source
Bug Fixes
PRs
Contributors to this release
1.5.1 (2023-09-26)
Bug Fixes
Content-Type
header for FormData in non-browser environments; (#5917) (bc9af51)content-encoding
header to handle case-insensitive values (#5890) (#5892) (4c89f25)Contributors to this release
PRs
v1.5.1
Compare Source
Bug Fixes
Content-Type
header for FormData in non-browser environments; (#5917) (bc9af51)content-encoding
header to handle case-insensitive values (#5890) (#5892) (4c89f25)Contributors to this release
PRs
v1.5.0
Compare Source
Bug Fixes
cacheable-lookup
integration; (#5836) (b3e327d)Features
unsafe
prefix (#5839) (1601f4a)Contributors to this release
PRs
v1.4.0
Compare Source
Bug Fixes
multipart/form-data
content type for FormData payload on custom client environments; (#5678) (bbb61e7)Features
AxiosHeaderValue
type. (#5525) (726f1c8)Performance Improvements
Contributors to this release
PRs
1.3.6 (2023-04-19)
Bug Fixes
toString
method on the target; (#5661) (aa372f7)Contributors to this release
PRs
1.3.5 (2023-04-05)
Bug Fixes
paramsSerializer
config; (#5633) (a56c866)Contributors to this release
PRs
1.3.4 (2023-02-22)
Bug Fixes
Contributors to this release
PRs
1.3.3 (2023-02-13)
Bug Fixes
Contributors to this release
PRs
1.3.2 (2023-02-03)
Bug Fixes
ERR_INVALID_URL
error; (#5528) (128d56f)Contributors to this release
PRs
1.3.1 (2023-02-01)
Bug Fixes
Contributors to this release
PRs
v1.3.6
Compare Source
Bug Fixes
toString
method on the target; (#5661) (aa372f7)Contributors to this release
PRs
v1.3.5
Compare Source
Bug Fixes
paramsSerializer
config; (#5633) (a56c866)Contributors to this release
PRs
v1.3.4
Compare Source
Bug Fixes
Contributors to this release
PRs
v1.3.3
Compare Source
Bug Fixes
Contributors to this release
PRs
v1.3.2
Compare Source
Bug Fixes
ERR_INVALID_URL
error; (#5528) (128d56f)Contributors to this release
PRs
v1.3.1
Compare Source
Bug Fixes
Contributors to this release
PRs
v1.3.0
Compare Source
Bug Fixes
Features
Contributors to this release
PRs
1.2.6 (2023-01-28)
Bug Fixes
CommonRequestHeadersList
&CommonResponseHeadersList
types to be private in commonJS; (#5503) (5a3d0a3)Contributors to this release
PRs
1.2.5 (2023-01-26)
Bug Fixes
Contributors to this release
PRs
1.2.4 (2023-01-22)
Bug Fixes
RawAxiosRequestConfig
back toAxiosRequestConfig
; (#5486) (2a71f49)AxiosRequestConfig
generic; (#5478) (9bce81b)Contributors to this release
PRs
1.2.3 (2023-01-10)
Bug Fixes
Contributors to this release
PRs
[1.2.2] - 2022-12-29
Fixed
Chores
Contributors to this release
[1.2.1] - 2022-12-05
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.2.0] - 2022-11-10
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.1.3] - 2022-10-15
Added
Fixed
Chores
Contributors to this release
PRs
[1.1.2] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.1] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.0] - 2022-10-06
Fixed
Contributors to this release
PRs
[1.0.0] - 2022-10-04
Added
Changed
Deprecated
Removed
Fixed
Chores
Security
Contributors to this release
v1.2.6
Compare Source
Bug Fixes
CommonRequestHeadersList
&CommonResponseHeadersList
types to be private in commonJS; (#5503) (5a3d0a3)Contributors to this release
PRs
v1.2.5
Compare Source
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.