[SECURITY] Updating axios version to 1.6.8 #142
Conversation
wjrosa
changed the title
|
This seems like a reasonable change, but it's not clear to me how we would confirm that it is still working as expected. |
|
From what I could see in the code, this is actually just used by our e2e tests ( // Ensure that global-setup.js runs before creating api client
if ( process.env.CONSUMER_KEY && process.env.CONSUMER_SECRET ) {
api = new wcApi( {
url: config.use.baseURL,
consumerKey: process.env.CONSUMER_KEY,
consumerSecret: process.env.CONSUMER_SECRET,
version: 'wc/v3',
} );
}It is used below to create customers, products, orders, and other entities. If e2e tests continue to work with this update, we are good to go. |
diegocurbelo
left a comment
diegocurbelo
left a comment
There was a problem hiding this comment.
The version bump seems ok, it's only bumping the patch version, so it should be compatible... and the tests pass:
--
And, for the tests in the Stripe repo, using this lib locally with:
"@woocommerce/woocommerce-rest-api": "../woocommerce-rest-api-js-lib", the E2E tests also pass.
Checking the package-lock.json, there are still several resolved deps for Axios with versions < 1.6.8. However, since Axios is not used in the actual plugin package, but rather to set up the test environment, that shouldn't be a problem.
daledupreez
left a comment
daledupreez
left a comment
There was a problem hiding this comment.
Thanks for testing, @diegocurbelo!
🚀
wjrosa
changed the title
wjrosa
changed the title
Address https://cwe.mitre.org/data/definitions/200.html
Address https://cwe.mitre.org/data/definitions/212.html
To address https://github.com/woocommerce/woocommerce-gateway-stripe/security/dependabot/20 in the Stripe extension repository, we need to update
axiosto bumpfollow-redirectsto at least1.15.6(1.15.9in practice).1.6.8https://github.com/axios/axios/releases/tag/v1.6.8