Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Resolve vulnerabilities in axios #12470

Merged
merged 1 commit into from
Jan 5, 2024
Merged

fix: Resolve vulnerabilities in axios #12470

merged 1 commit into from
Jan 5, 2024

Conversation

terrytangyuan
Copy link
Member

@terrytangyuan terrytangyuan commented Jan 5, 2024
edited

CI failed during Snyk scan:

Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-AXIOS-6144788] in axios@1.6.2
    introduced by swagger-ui-react@4.19.1 > swagger-client@3.24.6 > @swagger-api/apidom-reference@0.89.0 > axios@1.6.2
  This issue was fixed in versions: 1.6.4
  ✗ Improper Input Validation [High Severity][https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137] in follow-redirects@1.15.3
    introduced by swagger-ui-react@4.19.1 > swagger-client@3.24.6 > @swagger-api/apidom-reference@0.89.0 > axios@1.6.2 > follow-redirects@1.15.3
  This issue was fixed in versions: 1.15.4

@terrytangyuan
fix: Resolve vulnerabilities in axios
42fcbae 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
@terrytangyuan terrytangyuan added the prioritized-review For members of the Sustainability Effort label Jan 5, 2024
This was referenced Jan 5, 2024
Open
Open
@terrytangyuan terrytangyuan merged commit 11ee342 into argoproj:main Jan 5, 2024
17 checks passed
@terrytangyuan terrytangyuan deleted the fix-vul branch January 5, 2024 20:00
@agilgur5 agilgur5 added type/dependencies PRs and issues specific to updating dependencies javascript Pull requests that update Javascript dependencies type/security Security related labels Jan 6, 2024
@agilgur5
Copy link
Member

agilgur5 commented Jan 6, 2024

For reference from https://security.snyk.io/vuln/SNYK-JS-AXIOS-6144788, we don't actually use the formDataToJSON function. Not as sure about https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137, since that's deep within swagger-ui.

I am curious, is Snyk just failing earlier than dependabot has a chance to upgrade?

Also glad to see you've gotten the hang of modifying / manipulating the yarn.lock file 🙂

sarabala1979 pushed a commit that referenced this pull request Jan 12, 2024
@terrytangyuan @sarabala1979
fix: Resolve vulnerabilities in axios (#12470)
2350474 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Saravanan Balasubramanian <sarabala1979@gmail.com>
sarabala1979 pushed a commit that referenced this pull request Jan 13, 2024
@terrytangyuan @sarabala1979
fix: Resolve vulnerabilities in axios (#12470)
fbf9335 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Saravanan Balasubramanian <sarabala1979@gmail.com>
@agilgur5 agilgur5 mentioned this pull request Jan 14, 2024
Merged
terrytangyuan added a commit that referenced this pull request Jan 14, 2024
@terrytangyuan
fix: Resolve vulnerabilities in axios (#12470)
ec7d1f6 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
@agilgur5 agilgur5 mentioned this pull request Mar 9, 2024
Merged
dpadhiar pushed a commit to dpadhiar/argo-workflows that referenced this pull request May 9, 2024
@terrytangyuan @dpadhiar
fix: Resolve vulnerabilities in axios (argoproj#12470)
a7d43a3 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Saravanan Balasubramanian <sarabala1979@gmail.com>
Signed-off-by: Dillen Padhiar <dillen_padhiar@intuit.com>
@agilgur5 agilgur5 mentioned this pull request May 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarabala1979 sarabala1979 sarabala1979 approved these changes

@agilgur5 agilgur5 Awaiting requested review from agilgur5

Assignees

@sarabala1979 sarabala1979

Labels
javascript Pull requests that update Javascript dependencies prioritized-review For members of the Sustainability Effort type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@terrytangyuan @agilgur5 @sarabala1979