Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: upgrade axios to fix CVE-2021-3749 #874

Merged
merged 1 commit into from
Jan 13, 2022
Merged

security: upgrade axios to fix CVE-2021-3749 #874

merged 1 commit into from
Jan 13, 2022

Conversation

oldhill
Copy link
Contributor

@oldhill oldhill commented Jan 11, 2022

Summary

Upgrade axios to fix CVE-2021-3749

Testing Plan

After upgrade, yarn audit shows no high severity vulnerabilities

Breaking Change

[ ] Yes
[x] No

No breaking changes in this upgrade according to the axios release notes: https://github.com/axios/axios/releases

testnet graffiti / username

oldhill0x12345

@oldhill oldhill requested a review from a team as a code owner January 11, 2022 02:35
@NullSoldier NullSoldier changed the base branch from master to staging January 11, 2022 08:59
@NullSoldier
Copy link
Contributor

I'll test this manually and we can get it in. paged-request is the only reason we need that resolves. We should submit a PR to https://github.com/jonschlinkert/paged-request/blob/master/package.json as well

@oldhill
Copy link
Contributor Author

oldhill commented Jan 11, 2022

✅ upstream PR opened: jonschlinkert/paged-request#6

@NullSoldier
Copy link
Contributor

Lint is failing here, I think the PR needs to be rebased.

Also this introduces a warning that I don't know what to do about, because it's right that paged-request is now using an invalid library version but the security alert says not to use the old one, so.

warning Resolution field "axios@0.22.0" is incompatible with requested version "axios@^0.21.1"

@NullSoldier NullSoldier reopened this Jan 13, 2022
@NullSoldier
Copy link
Contributor

NullSoldier commented Jan 13, 2022
edited

I closed the PR by accident, reopened.

@NullSoldier
Copy link
Contributor

I rebased the PR.

@oldhill
Copy link
Contributor Author

oldhill commented Jan 13, 2022

@NullSoldier that rebase doesn't look like it worked, I am guessing bc my branch is on a fork- changed files on this PR are now just a vers bump https://github.com/iron-fish/ironfish/pull/874/files

@oldhill
Copy link
Contributor Author

oldhill commented Jan 13, 2022

Here is my upgrade commit that was lost in the force push of master: 66694f5

@oldhill
Copy link
Contributor Author

oldhill commented Jan 13, 2022

Lint is failing here, I think the PR needs to be rebased.

Also this introduces a warning that I don't know what to do about, because it's right that paged-request is now using an invalid library version but the security alert says not to use the old one, so.

warning Resolution field "axios@0.22.0" is incompatible with requested version "axios@^0.21.1"

The CVE is patched in version 0.21.2 of axios - I can upgrade to that version instead to get rid of this warning, since axios@^0.21.1 should be compatible with all 0.21.xx versions

@oldhill
Copy link
Contributor Author

oldhill commented Jan 13, 2022

Just pushed a change to upgrade to a compatible point release of axios this warning should be solved now
warning Resolution field "axios@0.22.0" is incompatible with requested version "axios@^0.21.1"

@NullSoldier
Copy link
Contributor

Ok approved, it's merging now! Sorry about the borked rebase.

@NullSoldier NullSoldier enabled auto-merge (squash) January 13, 2022 23:42
@NullSoldier NullSoldier merged commit e184157 into iron-fish:staging Jan 13, 2022
NullSoldier pushed a commit that referenced this pull request Jan 14, 2022
@oldhill @NullSoldier
Upgrade axios to fix CVE-2021-3749 (#874)
89c592e
@oldhill
Copy link
Contributor Author

oldhill commented Jan 14, 2022

Awesome thank you!

NullSoldier pushed a commit that referenced this pull request Jan 15, 2022
@oldhill @NullSoldier
Upgrade axios to fix CVE-2021-3749 (#874)
fa163cd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NullSoldier NullSoldier NullSoldier approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@oldhill @NullSoldier