Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Update axios, @actions/github and dompurify [1.23.X] #4652

Merged
merged 2 commits into from Apr 5, 2024
Merged

fix: Update axios, @actions/github and dompurify [1.23.X] #4652

merged 2 commits into from Apr 5, 2024

Conversation

Saibamen
Copy link
Contributor

@Saibamen Saibamen commented Apr 4, 2024
edited

11 vulnerabilities (1 low, 4 moderate, 5 high, 1 critical)

EDIT:
13 vulnerabilities (1 low, 6 moderate, 5 high, 1 critical)

instead of

14 vulnerabilities (1 low, 7 moderate, 5 high, 1 critical)

Replaces PR #4647

Other vulnerabilities (and critical 9.8 CVSS GHSA-fqg8-vfv7-8fj8) could be fixed by simply deleting package-lock.json and doing npm update, but this is too much for PR. This was done by @louislam many times in the past...

Vite should be updated to 4.5.3 to fix fs.deny high vulnerability (7.5/10 CVSS score) (currently we are using 4.4.12 in 1.23.X branch).

@Saibamen
Update axios, axios-ntlm, @actions/github and dompurify
f8867bf 
No `package-lock.json` refresh, no other changes in `package.json`. 11 vulnerabilities with 1 critical...
CommanderStorm
CommanderStorm requested changes Apr 4, 2024
View reviewed changes
Copy link
Collaborator

@CommanderStorm CommanderStorm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't quite get why #4647 was closed, anyway.

These are the relevant parts of #4647 (review)

package.json Show resolved Hide resolved
package.json Outdated Show resolved Hide resolved
@Saibamen Saibamen changed the title fix: Update axios, axios-ntlm, @actions/github and dompurify [1.23.X] fix: Update axios, @actions/github and dompurify [1.23.X] Apr 4, 2024
@Zaid-maker
Copy link
Contributor

simply deleting package-lock.json

What u mean by deleting package-lock.json??

@louislam louislam added this to the 1.23.12 milestone Apr 5, 2024
@louislam louislam merged commit 9863a10 into louislam:1.23.X Apr 5, 2024
14 checks passed
@Saibamen Saibamen deleted the npm_update branch April 5, 2024 08:02
@Saibamen
Copy link
Contributor Author

Saibamen commented Apr 5, 2024

What u mean by deleting package-lock.json??

del package-lock.json and npm install to recreate package-lock.json file with latest packages in version ranges from package.json

@Zaid-maker
Copy link
Contributor

What u mean by deleting package-lock.json??

del package-lock.json and npm install to recreate package-lock.json file with latest packages in version ranges from package.json

Ohh for recreating got it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CommanderStorm CommanderStorm CommanderStorm requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.23.12
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Saibamen @Zaid-maker @CommanderStorm @louislam