Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: upgrade axios to resolve CVE-2023-45857 #1682

Merged
merged 3 commits into from Oct 30, 2023
Merged

feat: upgrade axios to resolve CVE-2023-45857 #1682

merged 3 commits into from Oct 30, 2023

Conversation

enza252
Copy link
Contributor

@enza252 enza252 commented Oct 30, 2023

Summary

Describe the goal of this PR. Mention any related Issue numbers.

Requirements (place an x in each [ ])

@filmaj filmaj mentioned this pull request Oct 30, 2023
Closed
2 tasks
@filmaj filmaj added semver:patch pkg:web-api applies to `@slack/web-api` pkg:interactive-messages (deprecated) applies to `@slack/interactive-messages` pkg:webhook applies to `@slack/webhook` labels Oct 30, 2023
@filmaj
Copy link
Contributor

filmaj commented Oct 30, 2023

If I understand correctly, the vulnerability relies on a cross-site request forgery attack, but given that these libraries are used and consumed in server-side applications and not in browsers, I do not think our libraries are exposed to this vulnerability. Is that correct?

@enza252
Copy link
Contributor Author

enza252 commented Oct 30, 2023

Hey @filmaj - if that's the case then that is grand, I'm glad to hear that there is a minimal blast radius for this vulnerability.

I'm keen to get axios updated as we are seeing CI job failures when security scanning - and I'd much prefer to propose a fix than keep clicking an exception button.

filmaj
filmaj requested changes Oct 30, 2023
View reviewed changes
Copy link
Contributor

@filmaj filmaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great, and thanks for the PR.

It's a tiny bit tricky to merge this as-is right now, mainly because I am half-way through addressing the web-api's version 7.0 milestone, which is a major, and thus breaking, new version. Because of this, the main branch is in an in-between state for the web-api package.

@enza252 instead could I suggest a modification? Drop the changes to the web-api package in this PR, and move them to a separate PR that targets the web-api-6.9-hotfix branch I just created? Once merged in there, then I can create a hotfix 6.9.1 release from there.

@enza252
Copy link
Contributor Author

enza252 commented Oct 30, 2023

@filmaj on it!

@enza252 enza252 mentioned this pull request Oct 30, 2023
Closed
2 tasks
@filmaj filmaj merged commit a74e35b into slackapi:main Oct 30, 2023
15 checks passed
@filmaj filmaj removed the pkg:web-api applies to `@slack/web-api` label Oct 30, 2023
enza252 pushed a commit to enza252/node-slack-sdk that referenced this pull request Oct 30, 2023
chore: update axios in web-api to 1.6.0. See slackapi#1682 for more info
1e197ce
@enza252 enza252 mentioned this pull request Oct 30, 2023
Merged
2 tasks
@filmaj
Copy link
Contributor

filmaj commented Oct 30, 2023

Webhook v7.0.1 is now published.

Thanks for the PR!

filmaj pushed a commit that referenced this pull request Oct 30, 2023
chore: update axios in web-api to 1.6.0. See #1682 for more info (#1686)
c2eddea
kodiakhq bot pushed a commit to X-oss-byte/Nextjs that referenced this pull request Jan 20, 2024
@renovate
Update dependency @slack/web-api to v7 (#1186)
eafb799 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@slack/web-api](https://slack.dev/node-slack-sdk/web-api) ([source](https://togithub.com/slackapi/node-slack-sdk)) | [`^6.9.0` -> `^7.0.0`](https://renovatebot.com/diffs/npm/@slack%2fweb-api/6.9.0/7.0.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@slack%2fweb-api/7.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@slack%2fweb-api/7.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@slack%2fweb-api/6.9.0/7.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@slack%2fweb-api/6.9.0/7.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>slackapi/node-slack-sdk (@&#8203;slack/web-api)</summary>

### [`v7.0.1`](https://togithub.com/slackapi/node-slack-sdk/releases/tag/%40slack/webhook%407.0.1)

[Compare Source](https://togithub.com/slackapi/node-slack-sdk/compare/@slack/web-api@7.0.0...@slack/web-api@7.0.1)

#### What's Changed

[`a74e35b`](https://togithub.com/slackapi/node-slack-sdk/commit/a74e35b) feat: upgrade axios to resolve CVE-2023-45857 ([#&#8203;1682](https://togithub.com/slackapi/node-slack-sdk/issues/1682))

#### New Contributors

-   [@&#8203;enza252](https://togithub.com/enza252) made their first contribution in [slackapi/node-slack-sdk#1682

### [`v7.0.0`](https://togithub.com/slackapi/node-slack-sdk/releases/tag/%40slack/webhook%407.0.0)

[Compare Source](https://togithub.com/slackapi/node-slack-sdk/compare/@slack/web-api@6.11.2...@slack/web-api@7.0.0)

### What's Changed

[`85c07d9`](https://togithub.com/slackapi/node-slack-sdk/commit/85c07d9) Set minimum node version to 18 ([#&#8203;1666](https://togithub.com/slackapi/node-slack-sdk/issues/1666))
[`0ba6dc2`](https://togithub.com/slackapi/node-slack-sdk/commit/0ba6dc2) Add metadata to incoming webhooks parameters ([#&#8203;1617](https://togithub.com/slackapi/node-slack-sdk/issues/1617))

### Breaking Changes

While this release is a new major version, the only "breaking change" is that we dropped support for node versions below v18 (at the time of this release, v16 and lower have reached their end of life). No APIs from this package were changed.

### [`v6.11.2`](https://togithub.com/slackapi/node-slack-sdk/releases/tag/%40slack/web-api%406.11.2)

[Compare Source](https://togithub.com/slackapi/node-slack-sdk/compare/@slack/web-api@6.11.1...@slack/web-api@6.11.2)

Bumps axios to 1.6.5 to address *another* security vulnerability.

### [`v6.11.1`](https://togithub.com/slackapi/node-slack-sdk/releases/tag/%40slack/web-api%406.11.1)

[Compare Source](https://togithub.com/slackapi/node-slack-sdk/compare/@slack/web-api@6.11.0...@slack/web-api@6.11.1)

Bumps axios to 1.6.3 to address a security vulnerability.

### [`v6.11.0`](https://togithub.com/slackapi/node-slack-sdk/releases/tag/%40slack/web-api%406.11.0)

[Compare Source](https://togithub.com/slackapi/node-slack-sdk/compare/@slack/web-api@6.10.0...@slack/web-api@6.11.0)

-   Adds support for `style.code` properties on rich text elements. See original issue [#&#8203;1706](https://togithub.com/slackapi/node-slack-sdk/issues/1706) and PR to resolve [#&#8203;1707](https://togithub.com/slackapi/node-slack-sdk/issues/1707).

### [`v6.10.0`](https://togithub.com/slackapi/node-slack-sdk/releases/tag/%40slack/web-api%406.10.0)

[Compare Source](https://togithub.com/slackapi/node-slack-sdk/compare/@slack/web-api@6.9.1...@slack/web-api@6.10.0)

##### What's Changed

[`66eb303`](https://togithub.com/slackapi/node-slack-sdk/commit/66eb303) Add support for apps.manifest.\* endpoints - thanks [@&#8203;misscoded](https://togithub.com/misscoded)! ([#&#8203;1690](https://togithub.com/slackapi/node-slack-sdk/issues/1690))
[`6e07903`](https://togithub.com/slackapi/node-slack-sdk/commit/6e07903) Add new args to admin.users.list and update web API response types - thanks [@&#8203;seratch](https://togithub.com/seratch)! ([#&#8203;1688](https://togithub.com/slackapi/node-slack-sdk/issues/1688))

**Full Changelog**: https://github.com/slackapi/node-slack-sdk/compare/[@&#8203;slack/web-api](https://togithub.com/slack/web-api)[@&#8203;6](https://togithub.com/6).9.1...[@&#8203;slack/web-api](https://togithub.com/slack/web-api)[@&#8203;6](https://togithub.com/6).10.0

### [`v6.9.1`](https://togithub.com/slackapi/node-slack-sdk/releases/tag/%40slack/web-api%406.9.1)

[Compare Source](https://togithub.com/slackapi/node-slack-sdk/compare/@slack/web-api@6.9.0...@slack/web-api@6.9.1)

#### What's Changed

-   chore: update axios in web-api to 1.6.0. See [#&#8203;1682](https://togithub.com/slackapi/node-slack-sdk/issues/1682) for more info by [@&#8203;enza252](https://togithub.com/enza252) in [slackapi/node-slack-sdk#1686

**Full Changelog**: https://github.com/slackapi/node-slack-sdk/compare/[@&#8203;slack/web-api](https://togithub.com/slack/web-api)[@&#8203;6](https://togithub.com/6).9.0...[@&#8203;slack/web-api](https://togithub.com/slack/web-api)[@&#8203;6](https://togithub.com/6).9.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Nextjs).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@filmaj filmaj filmaj approved these changes

Assignees
No one assigned
Labels
cla:signed pkg:interactive-messages (deprecated) applies to `@slack/interactive-messages` pkg:webhook applies to `@slack/webhook` semver:patch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@enza252 @filmaj