Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): upgrade axios to 0.21.1 due to high severity vulnerability #449

Closed
petermetz opened this issue Jan 6, 2021 · 1 comment · Fixed by #455 or #508
Closed

build(deps): upgrade axios to 0.21.1 due to high severity vulnerability #449

petermetz opened this issue Jan 6, 2021 · 1 comment · Fixed by #455 or #508
Labels
dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities
Milestone
v0.4.0

Comments

@petermetz
Copy link
Contributor

Description

As a maintainer I want to have our dependencies updated to their (mostly) secure versions so that I can sleep at night.

https://nvd.nist.gov/vuln/detail/CVE-2020-28168

Acceptance Criteria

  1. All occurrences of the axios npm dependency were updated
  2. Build, tests are working.

cc: @sfuji822 @takeutak @hartm @jonathan-m-hamilton
@petermetz petermetz added dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities labels Jan 6, 2021
@petermetz petermetz added this to the v0.4.0 milestone Jan 6, 2021
@petermetz petermetz changed the title chore(deps): upgrade axios to 0.21.1 due to high severity vulnerability build(deps): upgrade axios to 0.21.1 due to high severity vulnerability Jan 6, 2021
petermetz added a commit to petermetz/cacti that referenced this issue Jan 6, 2021
@petermetz
build(deps): upgrade axios to 0.21.1
aa7498a 
Done due to a high severity vulnerability

Fixes hyperledger-cacti#449

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Jan 6, 2021
Merged
petermetz added a commit to petermetz/cacti that referenced this issue Jan 6, 2021
@petermetz
build(deps): upgrade axios to 0.21.1
4f7ad7c 
Done due to a high severity vulnerability

Also adding axios as a dependency to
cactus-test-plugin-ledger-connector-besu
which seems to have been missing so far.

Fixes hyperledger-cacti#449

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Jan 8, 2021
@petermetz
build(deps): upgrade axios to 0.21.1
84bb8fd 
Done due to a high severity vulnerability

Also adding axios as a dependency to
cactus-test-plugin-ledger-connector-besu
which seems to have been missing so far.

Fixes hyperledger-cacti#449

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Jan 8, 2021
@petermetz
build(deps): upgrade axios to 0.21.1
84c8146 
Done due to a high severity vulnerability

Also adding axios as a dependency to
cactus-test-plugin-ledger-connector-besu
which seems to have been missing so far.

Fixes hyperledger-cacti#449

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Jan 8, 2021
@petermetz
build(deps): upgrade axios to 0.21.1
4f8c848 
Done due to a high severity vulnerability

Also adding axios as a dependency to
cactus-test-plugin-ledger-connector-besu
which seems to have been missing so far.

Fixes #449

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Jan 21, 2021
@petermetz
build(deps): upgrade axios to 0.21.1 due to high severity CVE hyperle…
39ebe64 
…dger-cacti#449

The previous commit attempting to do the same thing
somehow did not achieve the expected outcome meaning
that there were still leftovers of other versions of axios.

For reference: CVE-2020-28168

Fixes hyperledger-cacti#449

Depends on hyperledger-cacti#506 hyperledger-cacti#507

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Jan 21, 2021
Merged
@petermetz
Copy link
Contributor Author

Reopening because of leftover dependency declarations that were missed in the previous PR (or were introduced on other branches in the meantime, not actually sure)

@petermetz petermetz reopened this Jan 21, 2021
petermetz added a commit to petermetz/cacti that referenced this issue Jan 26, 2021
@petermetz
build(deps): upgrade axios to 0.21.1 due to high severity CVE hyperle…
cbb9e5e 
…dger-cacti#449

The previous commit attempting to do the same thing
somehow did not achieve the expected outcome meaning
that there were still leftovers of other versions of axios.

For reference: CVE-2020-28168

Fixes hyperledger-cacti#449

Depends on hyperledger-cacti#506 hyperledger-cacti#507

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Jan 26, 2021
@petermetz
build(deps): upgrade axios to 0.21.1 due to high severity CVE #449
38f7a0f 
The previous commit attempting to do the same thing
somehow did not achieve the expected outcome meaning
that there were still leftovers of other versions of axios.

For reference: CVE-2020-28168

Fixes #449

Depends on #506 #507

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
ghost pushed a commit to kikoncuo/cactus that referenced this issue Jan 29, 2021
@petermetz
build(deps): upgrade axios to 0.21.1 due to high severity CVE hyperle…
b408c5a 
…dger-cacti#449

The previous commit attempting to do the same thing
somehow did not achieve the expected outcome meaning
that there were still leftovers of other versions of axios.

For reference: CVE-2020-28168

Fixes hyperledger-cacti#449

Depends on hyperledger-cacti#506 hyperledger-cacti#507

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
ghost pushed a commit to kikoncuo/cactus that referenced this issue Feb 4, 2021
@petermetz
build(deps): upgrade axios to 0.21.1 due to high severity CVE hyperle…
5566390 
…dger-cacti#449

The previous commit attempting to do the same thing
somehow did not achieve the expected outcome meaning
that there were still leftovers of other versions of axios.

For reference: CVE-2020-28168

Fixes hyperledger-cacti#449

Depends on hyperledger-cacti#506 hyperledger-cacti#507

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Signed-off-by: Jordi Giron <jordi.giron.amezcua@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
v0.4.0
1 participant
@petermetz