Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Axios to remove security warning #206

Merged
merged 1 commit into from
Nov 27, 2023
Merged

Update Axios to remove security warning #206

merged 1 commit into from
Nov 27, 2023

Conversation

xiehan
Copy link
Member

@xiehan xiehan commented Nov 24, 2023

Fixes https://github.com/hashicorp/js-releases/security/dependabot/10

I have no idea why Dependabot can't seem to generate an update for this itself, but whatever.

Please ping me when this gets released so I can update terraform-cdk-action which is also getting this warning (https://github.com/hashicorp/terraform-cdk-action/security/dependabot/15)

@xiehan xiehan requested a review from a team as a code owner November 24, 2023 11:45
@xiehan xiehan added the dependencies Auto-pinning label Nov 24, 2023
radeksimko
radeksimko approved these changes Nov 27, 2023
View reviewed changes
Copy link
Member

@radeksimko radeksimko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no idea why Dependabot can't seem to generate an update for this itself, but whatever.

I believe it's because it's configured to only update as long as the update involves the lock file only. Our package.json assumes compatibility constraints between major and minor versions.

js-releases/.github/dependabot.yml

Line 4 in 78e5913

versioning-strategy: lockfile-only

Whether that's right or wrong I don't know but it "works as intended" if the intention is what's written in the config file. 😁

We already use v1.4.0 in vscode-terraform and so I'm assuming this was simply forgotten about and we aren't stuck with that old version because of any compatibility reasons.

@jpogran do you have any more context here, before we ship it?

@radeksimko radeksimko requested a review from jpogran November 27, 2023 07:52
@jpogran
Copy link
Contributor

jpogran commented Nov 27, 2023

We used "axios": "^0.25.0" which uses the caret symbol. That means include any version that does not increment major, or the first non zero part. Since we had 0, and the fix was in 1, it wasn't automatically bumped because its considered a possible breaking change.

@jpogran
Copy link
Contributor

jpogran commented Nov 27, 2023

Tested locally since the tests mock axios and all seems to work

@jpogran jpogran merged commit 66f082f into main Nov 27, 2023
3 checks passed
@jpogran jpogran deleted the upgrade-axios branch November 27, 2023 17:36
@SnykHWilson SnykHWilson mentioned this pull request Sep 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@radeksimko radeksimko radeksimko approved these changes

@jpogran jpogran jpogran approved these changes

Assignees
No one assigned
Labels
dependencies Auto-pinning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xiehan @jpogran @radeksimko