fix: bump axios

[leotm]

Description

Fix CI failing on Improved Yarn Audit step

metamask@7.10.0 /Users/leo/Documents/GitHub/metamask-mobile
├─┬ @consensys/on-ramp-sdk@1.23.0
│ └── axios@0.27.2
├─┬ appium-adb@9.14.11
│ └─┬ @appium/support@4.1.6
│   └── axios@1.4.0
├─┬ appium@1.22.3
│ ├─┬ appium-android-driver@4.54.0
│ │ ├─┬ appium-chromedriver@4.28.0
│ │ │ └── axios@0.27.2
│ │ └── axios@0.27.2
│ ├─┬ appium-base-driver@7.11.3
│ │ └── axios@0.27.2
│ ├─┬ appium-ios-driver@4.8.3
│ │ └── axios@0.27.2
│ ├─┬ appium-mac2-driver@0.14.1
│ │ └── axios@0.27.2
│ ├─┬ appium-support@2.55.0
│ │ └── axios@0.27.2
│ ├─┬ appium-uiautomator2-driver@1.75.0
│ │ └── axios@0.27.2
│ ├─┬ appium-xcuitest-driver@3.62.0
│ │ └─┬ appium-webdriveragent@3.17.0
│ │   └── axios@0.27.2
│ └── axios@0.27.2
├── axios@0.26.1
└─┬ chromedriver@99.0.0
  └── axios@0.24.0

Related issues

• CI broken past few hrs on Improved Yarn Audit step
• GHSA-wf5p-g6vw-rhxx
• chore(deps-dev): bump chromedriver from 99.0.0 to 119.0.1 #7747 worth looking at after

Manual testing steps

yarn audit:ci

Screenshots/Recordings

Before

Vulnerability Found:

  Severity: MODERATE
  Modules: @consensys/on-ramp-sdk>axios, appium-adb>@appium/support>axios, axios
  URL: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

Vulnerability Found:

  Severity: MODERATE
  Modules: @consensys/on-ramp-sdk>axios, appium-adb>@appium/support>axios, axios
  URL: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

Vulnerability Found:

  Severity: MODERATE
  Modules: @consensys/on-ramp-sdk>axios, appium-adb>@appium/support>axios, axios
  URL: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

Vulnerability Found:

  Severity: MODERATE
  Modules: axios
  URL: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

After

➜  metamask-mobile git:(fix/unbreak-ci-audit-fix-CVE-2023-45857) ✗ yarn audit:ci
yarn run v1.22.19
warning ../package.json: No license field
$ ./scripts/yarn-audit.sh
warning ../package.json: No license field
$ /Users/leo/Documents/GitHub/metamask-mobile/node_modules/.bin/improved-yarn-audit --ignore-dev-deps --min-severity moderate --fail-on-missing-exclusions
Improved Yarn Audit - v3.0.0

Reading excluded advisories from .iyarc
Minimum severity level to report: moderate
Excluded Advisories: ["GHSA-p8p7-x288-28g6","GHSA-c2qf-rxjj-qqgw"]

Running yarn audit...

Found 0 vulnerabilities

2 ignored because they are dev dependencies

6 ignored because of advisory exclusions

Run `yarn audit` for more information
✔ Audit shows _zero_ moderate or high severity advisories _in the production dependencies_
✨  Done in 2.32s.

Pre-merge author checklist

• I’ve followed MetaMask Coding Standards.
• I've clearly explained what problem this PR is solving and how it is solved.
• I've linked related issues
• I've included manual testing steps
• I've included screenshots/recordings if applicable
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.
• I’ve properly set the pull request status:
  • In case it's not yet "ready for review", I've set it to "draft".
  • In case it's "ready for review", I've changed it from "draft" to "non-draft".

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[leotm]

consider v1.6.1, spotted in

• chore(deps-dev): bump chromedriver from 99.0.0 to 119.0.1 #7747

https://github.com/axios/axios/releases/tag/v1.6.1

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
axios	0.26.1...1.6.0	network	+0/-0	1.79 MB	jasonsaayman

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: axios@1.6.0

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

[leotm]

@SocketSecurity ignore axios@1.6.0

network access expected

Promise based HTTP client for the browser and node.js

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (e821b6e) 35.10% compared to head (1e0aacb) 35.10%.
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7758   +/-   ##
=======================================
  Coverage   35.10%   35.10%           
=======================================
  Files        1039     1039           
  Lines       27619    27619           
  Branches     2336     2336           
=======================================
  Hits         9695     9695           
  Misses      17401    17401           
  Partials      523      523           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

E2E test started on Bitrise: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/9347946f-db7b-4146-8078-f5b342539d43
You can also kick off another Bitrise E2E smoke test by removing and re-applying the (Run Smoke E2E) label

[leotm]

E2E test started on Bitrise: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/9347946f-db7b-4146-8078-f5b342539d43 You can also kick off another Bitrise E2E smoke test by removing and re-applying the (Run Smoke E2E) label

✅ ios_e2e_test

✅ android_e2e_test

[Andepande]

LG

[tommasini]

LGTM, do we test the on ramp on the release testing @Andepande ? it would be good to check it since we are doing a major upgrade version on axios, since it is used by them

[leotm]

merged after discussions ^ we can follow-up on comments if agreed later to

• fix: bump axios #7758 (comment)
  • unpin/loosen the dep/res vers cc @legobeat
• fix: bump axios #7758 (review)
  • bump to v1.6.1
• fix: bump axios #7758 (review)
  • now bump chore(deps-dev): bump chromedriver from 99.0.0 to 119.0.1 #7747