Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bumped axios version, ran npm install, pushing updates up #275

Merged
merged 2 commits into from
Mar 20, 2024
Merged

bumped axios version, ran npm install, pushing updates up #275

merged 2 commits into from
Mar 20, 2024

Conversation

stbarillas
Copy link
Contributor

@stbarillas stbarillas commented Dec 7, 2023
edited
Loading

Description

Small PR
Bumping Axios version to address vulnerability

Verify

  • Code runs without errors
  • Tests pass with >=85% coverage

@stbarillas stbarillas requested a review from a team as a code owner December 7, 2023 19:36
@stbarillas stbarillas requested review from bamohan and removed request for a team December 7, 2023 19:36
@guardrails GuardRails
Copy link

guardrails bot commented Dec 7, 2023

⚠️ We detected 5 security issues in this pull request:

Vulnerable Libraries (5)
Severity Details
Medium pkg:npm/[email protected] (t) upgrade to: > 27.1.5
High pkg:npm/[email protected] (t) upgrade to: > 19.0.3
Medium pkg:npm/@slack/[email protected] (t) upgrade to: > 6.7.1
High pkg:npm/@semantic-release/[email protected] (t) upgrade to: > 9.0.1
High pkg:npm/@commitlint/[email protected] (t) upgrade to: > 16.2.3

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

@stbarillas
Copy link
Contributor Author

stbarillas commented Dec 7, 2023
edited
Loading

@bamohan , I don't have a lob api key to run tests locally. Could you help me verify that tests are still passing?

Also, the security issues found by guardrails are for dev dependencies. Could these be overlooked for this PR?

@bamohan bamohan requested review from a team and removed request for bamohan December 14, 2023 17:14
ronakshahlob
ronakshahlob reviewed Dec 20, 2023
View reviewed changes
Copy link

@ronakshahlob ronakshahlob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran the tests on the PR and looks like the upgrade does have some breaking changes. Could you take a look. You should be able to see the breaking tests on the PR, let me know if not.

bamohan
bamohan reviewed Jan 2, 2024
View reviewed changes
Copy link

@bamohan bamohan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#275 (review)

@comp615
Copy link
Contributor

comp615 commented Feb 1, 2024

@bamohan @ronakshahlob Heya, I did an update to Steve's patch here. Due to how Axios changed packaging with cjs, Jest 27 is not able to understand that. We could add a hack/exception, but the easier solution is to just update that to Jest 29. So I did that and verified that npm test works locally now.

Thanks!

@prescottprue
Copy link

Any update here? It would be nice to remove vulnerabilities

juanfriss
juanfriss approved these changes Mar 7, 2024
View reviewed changes
Copy link
Contributor

@juanfriss juanfriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so you were able to test locally, no breaking changes from axios? if yes, good to merge.

I think we should also bump up this package's version from "version": "1.3.3", to 1.3.4

@comp615
Copy link
Contributor

comp615 commented Mar 7, 2024

so you were able to test locally, no breaking changes from axios? if yes, good to merge.

I think we should also bump up this package's version from "version": "1.3.3", to 1.3.4

All tests passed; we used the update in our code as well with no issues, however that's not to say we exercise all the functionality but seemed ok.

Feel free to bump the version as appropriate after merging so you can release :)

@QuentinLemCode
Copy link

QuentinLemCode commented Mar 20, 2024
edited
Loading

Hello @stbarillas @amaan-lob @BennyKitchell
Can you merge this PR, please?
The axios version of this package raises a security issue on our repo

@multigl
Copy link

multigl commented Mar 20, 2024

also requesting this, axios is showing up in our vulnerability scans from @lob/lob-typescript-sdk

@juanfriss juanfriss merged commit ef8f883 into lob:main Mar 20, 2024
1 check passed
@juanfriss juanfriss mentioned this pull request Mar 20, 2024
Merged
@juanfriss
Copy link
Contributor

juanfriss commented Mar 20, 2024
edited
Loading

I will publish 1.3.4 in #277 and publish the new version shortly.

@juanfriss
Copy link
Contributor

ended up publishing version 1.3.5

@juanfriss juanfriss mentioned this pull request Apr 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bamohan bamohan bamohan left review comments

@ronakshahlob ronakshahlob ronakshahlob left review comments

@QuentinLemCode QuentinLemCode QuentinLemCode approved these changes

@juanfriss juanfriss juanfriss approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@stbarillas @comp615 @prescottprue @QuentinLemCode @multigl @juanfriss @bamohan @ronakshahlob