Skip to content
This repository was archived by the owner on Jan 5, 2026. It is now read-only.

fix: follow-redirects Component Governance vulnerability#4071

Merged
mrivera-ms merged 3 commits intomainfrom
bruce/cgalertfix1-21
Jan 31, 2022
Merged

fix: follow-redirects Component Governance vulnerability#4071
mrivera-ms merged 3 commits intomainfrom
bruce/cgalertfix1-21

Conversation

@BruceHaley
Copy link
Contributor

@BruceHaley BruceHaley commented Jan 21, 2022
edited
Loading

Fixes #minor

Description

Fixes the high severity follow-redirects vulnerability listed in these 2 CG alerts:
https://fuselabs.visualstudio.com/SDK_v4/_componentGovernance/112352/alert/6373557?typeId=10422422
https://fuselabs.visualstudio.com/SDK_v4/_componentGovernance/112352/alert/6373574?typeId=10422422

Vulnerability: follow-redirects 1.5.10
-- Recommendation: Upgrade follow-redirects from 1.5.10 to 1.14.7
Vulnerability: follow-redirects 1.14.4
-- Recommendation: Upgrade follow-redirects from 1.14.4 to 1.14.7

The initial follow-redirects dependency tree looked like this:

C:\src\botbuilder-js>npm ls follow-redirects
botbuilder-js@4.13.0 C:\src\botbuilder-js
`-- @azure/ms-rest-js@1.9.1
  `-- axios@0.21.4
    `-- follow-redirects@1.14.4

I fixed it with the command:
yarn upgrade @azure/ms-rest-js@2.6.0
...resulting in the dependency being eliminated:

C:\src\botbuilder-js>npm ls follow-redirects
botbuilder-js@4.13.0 C:\src\botbuilder-js
`-- (empty)

Testing

I tested the fix in these 4 Sample-Js E2E test runs:
Sample-Js-CoreBot-Linux-Test-yaml
Sample-Js-CoreBot-Win-Test-yaml
Sample-Js-EchoBot-Linux-Test-yaml
Sample-Js-EchoBot-Win-Test-yaml

@coveralls
Copy link

coveralls commented Jan 21, 2022
edited
Loading

Pull Request Test Coverage Report for Build 1775283574

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.003%) to 84.546%
Totals Coverage Status
Change from base Build 1775183583: -0.003%
Covered Lines: 19668
Relevant Lines: 22036
💛 - Coveralls

@BruceHaley BruceHaley changed the title Fix follow-redirects Component Governance vulnerability fix: follow-redirects Component Governance vulnerability Jan 21, 2022
@BruceHaley BruceHaley marked this pull request as ready for review January 24, 2022 18:12
@BruceHaley BruceHaley requested a review from a team as a code owner January 24, 2022 18:12
@BruceHaley BruceHaley added the Area: Engineering Internal issues that are related to improving code quality, refactorings, code cleanup, etc. label Jan 24, 2022
@mrivera-ms mrivera-ms merged commit 37536ee into main Jan 31, 2022
@mrivera-ms mrivera-ms deleted the bruce/cgalertfix1-21 branch January 31, 2022 23:14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@munozemilio munozemilio Awaiting requested review from munozemilio

2 more reviewers

@joshgummersall joshgummersall joshgummersall approved these changes

@mrivera-ms mrivera-ms mrivera-ms approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Area: Engineering Internal issues that are related to improving code quality, refactorings, code cleanup, etc.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BruceHaley @coveralls @joshgummersall @mrivera-ms