Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Upgrade axios to version 1.6.8 #993

Merged
merged 4 commits into from Apr 5, 2024
Merged

chore: Upgrade axios to version 1.6.8 #993

merged 4 commits into from Apr 5, 2024

Conversation

robertbagge
Copy link
Contributor

Fixes

That versions patches follow-redirects package to a version that does not have the following vulnerability - follow-redirects/follow-redirects#235

Checklist

  • I acknowledge that all my contributions will be made under the project's license
  • [ n/a] I have made a material change to the repo (functionality, testing, spelling, grammar)
  • [ X] I have read the Contribution Guidelines and my PR follows them
  • [ X] I have titled the PR appropriately
  • [ X] I have updated my branch with the main branch
  • [ n/a] I have added tests that prove my fix is effective or that my feature works
  • [ n/a] I have added the necessary documentation about the functionality in the appropriate .md file
  • [ n/a] I have added inline documentation to the code I modified

Upgrade axios to version 1.6.5
c216fa8 
That versions patches `follow-redirects` package to a version that does
not have the following vulnerability - follow-redirects/follow-redirects#235
@robertbagge robertbagge changed the title chore:upgrade axios to version 1.6.5 chore: Upgrade axios to version 1.6.5 Jan 12, 2024
@tiwarishubham635
Copy link
Contributor

I think we can push to use 1.6.8 and above, right?

@tiwarishubham635 tiwarishubham635 added dependencies pull requests that update a dependency file difficulty: easy fix is easy in difficulty labels Apr 5, 2024
@robertbagge
Copy link
Contributor Author

I think we can push to use 1.6.8 and above, right?

Definitely. 1.6.5 was the latest release when this PR was created in Jan.

@tiwarishubham635
Copy link
Contributor

I think we can push to use 1.6.8 and above, right?

Definitely. 1.6.5 was the latest release when this PR was created in Jan.

Can you please update it in the PR? I can merge it. Thanks!

@robertbagge
Copy link
Contributor Author

I think we can push to use 1.6.8 and above, right?

Definitely. 1.6.5 was the latest release when this PR was created in Jan.

Can you please update it in the PR? I can merge it. Thanks!

Done.

Unrelated. We found out about this vulnerability when running dependabot. The entire Twilio SDK ecosystem is full of outdated packages with vulnerabilities. Could work around most of them by manually patching, but it'd be great to see Twilio adopt something like dependabot as well to keep up to date with latest security practices.

@tiwarishubham635
Copy link
Contributor

I think we can push to use 1.6.8 and above, right?

Definitely. 1.6.5 was the latest release when this PR was created in Jan.

Can you please update it in the PR? I can merge it. Thanks!

Done.

Unrelated. We found out about this vulnerability when running dependabot. The entire Twilio SDK ecosystem is full of outdated packages with vulnerabilities. Could work around most of them by manually patching, but it'd be great to see Twilio adopt something like dependabot as well to keep up to date with latest security practices.

Hmmm, we do have dependabot for some repositories. Let me see if I can add one here. Thanks!

@tiwarishubham635 tiwarishubham635 merged commit ca6aaf0 into twilio:main Apr 5, 2024
7 checks passed
@tiwarishubham635 tiwarishubham635 changed the title chore: Upgrade axios to version 1.6.5 chore: Upgrade axios to version 1.6.8 Apr 5, 2024
@tiwarishubham635 tiwarishubham635 mentioned this pull request Apr 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiwarishubham635 tiwarishubham635 tiwarishubham635 approved these changes

Assignees
No one assigned
Labels
dependencies pull requests that update a dependency file difficulty: easy fix is easy in difficulty
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@robertbagge @tiwarishubham635