Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Update axios to 1.6 to pull in fix for CVE 2023 45857 #971

Merged
merged 3 commits into from
Nov 9, 2023
Merged

chore: Update axios to 1.6 to pull in fix for CVE 2023 45857 #971

merged 3 commits into from
Nov 9, 2023

Conversation

kitu-apietila
Copy link
Contributor

Fixes

  • Updates axios to 1.6.0
  • Explicit TypeScript types to fix build/test.

Checklist

  • I acknowledge that all my contributions will be made under the project's license
  • I have made a material change to the repo (functionality, testing, spelling, grammar)
  • I have read the Contribution Guidelines and my PR follows them
  • I have titled the PR appropriately
  • I have updated my branch with the main branch
  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary documentation about the functionality in the appropriate .md file
  • I have added inline documentation to the code I modified

If you have questions, please file a support ticket, or create a GitHub Issue in this repository.

@kitu-apietila kitu-apietila changed the title chore: Axios 1 point 6 fix CVE 2023 45857 chore: Update axios to 1.6 to pull in fix for CVE 2023 45857 Nov 1, 2023
@yangsu-ab
Copy link

any progress on this? i see another PR opened a week ago addressing this vulnerability.

@yangsu-ab yangsu-ab mentioned this pull request Nov 3, 2023
Closed
ghost
ghost approved these changes Nov 6, 2023
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be updated so the vulnerability is fixed.

@yangsu-ab
Copy link

@kitu-apietila
seems like it got approved, rebase/pull main to get it tested and merged?

@kitu-apietila
Update axios to 1.6.0
925594e 
Fixes CVE-2023-45857
@kitu-apietila
Explicit type return on Promise
dbb08b0 
TypeScript's automatic type resolution for the promise returned by the
function in getExponentialBackoffResponseHandler determines that it
returns a Promise<unknown>. This commit forces TypeScript to recognize
that the resolved object is of type Promise<AxiosResponse>.
@kitu-apietila kitu-apietila force-pushed the axios-1-point-6-fix-cve-2023-45857 branch from 64ce476 to dbb08b0 Compare November 7, 2023 19:34
@kitu-apietila
Copy link
Contributor Author

@kitu-apietila seems like it got approved, rebase/pull main to get it tested and merged?

According to Github:

Review required
At least 1 approving review is required by reviewers with write access

I've gone ahead and rebased.

@yangsu-ab
Copy link

@kitu-apietila seems like it got approved, rebase/pull main to get it tested and merged?

According to Github:

Review required At least 1 approving review is required by reviewers with write access

I've gone ahead and rebased.

i thought deepakverdethos had write access to approve 🤣

@ghost
Copy link

ghost commented Nov 9, 2023

@kitu-apietila seems like it got approved, rebase/pull main to get it tested and merged?

According to Github:
Review required At least 1 approving review is required by reviewers with write access
I've gone ahead and rebased.

i thought deepakverdethos had write access to approve 🤣

We want this fix so bad, I thought I would give it a try by approving it. Well it didn't work 🤣

@tiwarishubham635
Copy link
Contributor

Hi! We are working on fixing this pipeline. Should be able to merge it by today. Thanks!

@tiwarishubham635 tiwarishubham635 merged commit a981eb0 into twilio:main Nov 9, 2023
6 checks passed
@tiwarishubham635 tiwarishubham635 mentioned this pull request Nov 9, 2023
Closed
8 tasks
tiwarishubham635 added a commit that referenced this pull request Nov 9, 2023
@tiwarishubham635 @kitu-apietila
@kridai @KobeBrooks @sbansla
chore: sync with main (#979)
c61ed8f 
* chore: Removed LTS version (#978)

* chore: removed LTS version

* chore: removing lts from cloudscan

* chore: completely removed LTS

* chore: Update axios to 1.6 to pull in fix for CVE 2023 45857 (#971)

* Update axios to 1.6.0

Fixes CVE-2023-45857

* Explicit type return on Promise

TypeScript's automatic type resolution for the promise returned by the
function in getExponentialBackoffResponseHandler determines that it
returns a Promise<unknown>. This commit forces TypeScript to recognize
that the resolved object is of type Promise<AxiosResponse>.

---------

Co-authored-by: Shubham <[email protected]>

* chore: twilio help changes (#958)

Co-authored-by: Shubham <[email protected]>

* chore: Removing Test Related To Deprecated Endpoint - OAuth (#963)

* removing test in relation to deprecated endpoint

* removingn more oauth refrences

---------

Co-authored-by: sbansla <[email protected]>

---------

Co-authored-by: Andrew Pietila <[email protected]>
Co-authored-by: kridai <[email protected]>
Co-authored-by: KobeBrooks <[email protected]>
Co-authored-by: sbansla <[email protected]>
@kitu-apietila kitu-apietila deleted the axios-1-point-6-fix-cve-2023-45857 branch November 9, 2023 14:57
@Afellman
Copy link

I see the fix has been merged in. Any ETA on a new version published to NPM?

@tiwarishubham635
Copy link
Contributor

The new changes will be published this Thursday

tiwarishubham635 added a commit that referenced this pull request Nov 13, 2023
@tiwarishubham635 @kitu-apietila
@kridai @KobeBrooks @sbansla
chore: sync with main (#981)
54861cd 
* chore: Removed LTS version (#978)

* chore: removed LTS version

* chore: removing lts from cloudscan

* chore: completely removed LTS

* chore: Update axios to 1.6 to pull in fix for CVE 2023 45857 (#971)

* Update axios to 1.6.0

Fixes CVE-2023-45857

* Explicit type return on Promise

TypeScript's automatic type resolution for the promise returned by the
function in getExponentialBackoffResponseHandler determines that it
returns a Promise<unknown>. This commit forces TypeScript to recognize
that the resolved object is of type Promise<AxiosResponse>.

---------

Co-authored-by: Shubham <[email protected]>

* chore: twilio help changes (#958)

Co-authored-by: Shubham <[email protected]>

* chore: Removing Test Related To Deprecated Endpoint - OAuth (#963)

* removing test in relation to deprecated endpoint

* removingn more oauth refrences

---------

Co-authored-by: sbansla <[email protected]>

---------

Co-authored-by: Andrew Pietila <[email protected]>
Co-authored-by: kridai <[email protected]>
Co-authored-by: KobeBrooks <[email protected]>
Co-authored-by: sbansla <[email protected]>
@abrom abrom mentioned this pull request Nov 14, 2023
Closed
@jacobpgn jacobpgn mentioned this pull request Dec 5, 2023
Merged
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiwarishubham635 tiwarishubham635 tiwarishubham635 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kitu-apietila @yangsu-ab @tiwarishubham635 @Afellman