Skip to content

Remove axios vulnerability #703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 18, 2021
Merged

Remove axios vulnerability #703

merged 2 commits into from
Jan 18, 2021

Conversation

@bidoubiwa
Copy link
Contributor

@bidoubiwa bidoubiwa commented Jan 17, 2021
edited
Loading

Axios vulnerability

Oke! So this was a tricky one.

Problem analysiss

  • axios is used by meilisearch < v0.14
  • docs-searchbar.js uses meilisearch.
    • Docs-searchbar >= v.1.1.8 Upgraded to meilisearch > v0.14
    • Before that version, because it uses meilisearch < v0.14, it had axios as a dependency of a dependency
  • vuepress-plugin-meilisearch uses docs-searchbar.js. It uses the last version of docs-searchbar.js v1.1.10. Which uses meilisearch v0.17.0 which do NOT use axios.

So the 1 million question. Why with the latest version of vuepress-plugin-meilisearch do we still have axios as a dependency of dependencies?

What is going on in yarn.lock

docs-searchbar.js@^1.1:
  version "1.1.7" // Why is it still 1.1.7 ?
  dependencies:
       meilisearch "^0.12.0" // Meilisearch that still uses axios

meilisearch@^0.12.0:
  version "0.12.0"
  dependencies:
    axios "^0.19.2"

vuepress-plugin-meilisearch@^0.10.6:
  version "0.10.6" // This version uses docs-searchbar@1.1.10 !
  dependencies:
    docs-searchbar.js "^1.1" // Here is the problem !

Because the version of docs-searchbar that changed from meilisearch v0.12 to v0.14 was a patch change 1.1.7 > 1.1.8, and because we are giving as information ^1.1, yarn.lock of documentation had no need to update the dependency.

Solution

I removed and re-installed vuepress-plugin-meilisearch so that it would download the latests version of all dependency.
This made the yarn.lock change to the following:

docs-searchbar.js@^1.1:
  version "1.1.10"
  dependencies:
      meilisearch "^0.17.0" // Does not uses axios

@bidoubiwa bidoubiwa requested a review from curquiza January 17, 2021 23:19
curquiza
curquiza approved these changes Jan 18, 2021
View reviewed changes
Copy link
Member

@curquiza curquiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@dichotommy
Copy link
Contributor

dichotommy commented Jan 18, 2021

Thank you @bidoubiwa !! 🙇‍♂️

@dichotommy dichotommy merged commit 83e42d7 into master Jan 18, 2021
@dichotommy dichotommy deleted the remove-axios-vulnerability branch January 18, 2021 17:43
dichotommy added a commit that referenced this pull request Jan 22, 2021
@bidoubiwa @dependabot-preview
@dichotommy @curquiza
Update upgrading guide in installation (#702)
cc73883 
* Update upgrading guide in installation

* Bump eslint from 7.17.0 to 7.18.0 (#704)

Bumps [eslint](https://github.com/eslint/eslint) from 7.17.0 to 7.18.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.17.0...v7.18.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

* Remove axios vulnerability (#703)

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>

* Lazy index getting started suggestion (#571)

* Prepare documentation for release 11/2020 of MeiliSearch

* Change documents references

* Add lazy index to indexes main concept

* Suggestion for lazy index into getting started

* Fix type

* Apply suggestions from code review

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>

* Update guides/introduction/quick_start_guide.md

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>

* Update .vuepress/config.js

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>

* Update references/documents.md

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>

* Remove create index code sample

* Update guides/introduction/quick_start_guide.md

Co-authored-by: Clémentine Urquizar <clementine@meilisearch.com>

* Update guides/main_concepts/indexes.md

Co-authored-by: Clémentine Urquizar <clementine@meilisearch.com>

* Update guides/main_concepts/indexes.md

Co-authored-by: Clémentine Urquizar <clementine@meilisearch.com>

* Update documents addition in getting started. Updated primary key definition

* Update .vuepress/components/glossary.vue

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>

* Update guides/introduction/quick_start_guide.md

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>

* Fix styling

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>
Co-authored-by: Clémentine Urquizar <clementine@meilisearch.com>

* Update LICENSE (#709)

* Update guides/advanced_guides/installation.md

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>

* Update upgrading guide in installation

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Tommy <68053732+react-learner@users.noreply.github.com>
Co-authored-by: Clémentine Urquizar <clementine@meilisearch.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@curquiza curquiza curquiza approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bidoubiwa @dichotommy @curquiza