Upgrade Axios

[anulman]

Description

Upstream Axios (HTTP client) has a high-severity vulnerability (see axios/axios#2183). @slack/web-api users should be encouraged to monitor this issue, and upgrade once resolved.

What type of issue is this? (place an x in one of the [ ])

• bug
• enhancement (feature request)
• question
• documentation related
• testing related
• discussion

Requirements (place an x in each of the [ ])

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

---

Bug Report

Github sent me an email about this vuln; I ran yarn why axios in the affected project and discovered it is a transitive dependency via @slack/web-api.

Packages:

Select all that apply:

• @slack/web-api
• @slack/events-api
• @slack/interactive-messages
• @slack/rtm-api
• @slack/webhooks
• I don't know

Reproducible in:

package version: 5.0.1

node version: 11.9.0

OS version(s): OSX 10.14.4

Steps to reproduce:

1. Use the Slack Web API package
2. Confirm on the upstream issue: Vulnerability found axios/axios#2183

Expected result:

No deps with vulns!

Actual result:

Deps with vulns :(

Attachments:

[anulman]

Update: 0.19.0 has been released; an 0.18.1 release is expected to be cut per axios/axios#2183 (comment)

[anulman]

0.18.1 has been released and will be used on fresh installs of this package per semver pinning. Closing this issue.

If you have a previously installed version, you can resolve the security warning by upgrading @slack/web-api's sub-dependencies, e.g. by using:

# yarn
yarn upgrade @slack/web-api --deep

# npm
npm update --depth 9999 @slack/web-api

Tagging @LarsBuur and @boiarqin, because y'alls thumbs up'ed the initial comment 😄