Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update follow_redirects for CVE #876

Merged
merged 1 commit into from
Mar 15, 2024
Merged

update follow_redirects for CVE #876

merged 1 commit into from
Mar 15, 2024

Conversation

gebhardtr
Copy link
Contributor

@gebhardtr gebhardtr commented Mar 15, 2024
edited
Loading

Description

Based on: https://github.com/axios/axios/pull/6300/files, updating axios's dependency doesn't appear to require code changes so this should be safe.

But, ideally, we would wait for axios PR 6300 to be merged and update instead of updating its dependency directly.

Testing

Steps to test

  1. Pull down the PR
  2. ...
  3. ...

Scenarios tested

Production deployment

  • This code change is ready for production on its own
  • This code change requires the following considerations before going to production:

@github-actions GitHub Actions
Copy link 

# npm audit report

follow-redirects  <=1.15.5
Severity: moderate
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects

1 moderate severity vulnerability

To address all issues, run:
  npm audit fix

manstis
manstis previously approved these changes Mar 15, 2024
View reviewed changes
Copy link
Contributor

@manstis manstis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@gebhardtr gebhardtr marked this pull request as draft March 15, 2024 13:14
@gebhardtr gebhardtr closed this Mar 15, 2024
@gebhardtr gebhardtr force-pushed the rg/fix-audit-follow branch from 04912d3 to 15fe6a8 Compare March 15, 2024 13:19
@gebhardtr gebhardtr reopened this Mar 15, 2024
@gebhardtr
update follow_redirects for CVE
b18b5f7 
Signed-off-by: Richard Gebhardt <[email protected]>
@gebhardtr gebhardtr force-pushed the rg/fix-audit-follow branch from b959d7d to b18b5f7 Compare March 15, 2024 13:24
@gebhardtr gebhardtr changed the title update axios package to update follow_redirects for CVE update follow_redirects for CVE Mar 15, 2024
@gebhardtr gebhardtr marked this pull request as ready for review March 15, 2024 13:29
manstis
manstis approved these changes Mar 15, 2024
View reviewed changes
Copy link
Contributor

@manstis manstis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 Thanks @gebhardtr

@gebhardtr gebhardtr merged commit 26572a4 into main Mar 15, 2024
5 checks passed
@gebhardtr gebhardtr deleted the rg/fix-audit-follow branch March 15, 2024 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manstis manstis manstis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gebhardtr @manstis