Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency axios to ^0.21.0 [SECURITY] - autoclosed #1016

Closed
wants to merge 1 commit into from
Closed

Update dependency axios to ^0.21.0 [SECURITY] - autoclosed #1016

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 4, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
axios (source) ^0.19.0 -> ^0.21.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-28168

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

CVE-2021-3749

axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.

Release Notes

axios/axios (axios)

v0.21.2

Compare Source

Fixes and Functionality:
  • Updating axios requests to be delayed by pre-emptive promise creation (#​2702)
  • Adding "synchronous" and "runWhen" options to interceptors api (#​2702)
  • Updating of transformResponse (#​3377)
  • Adding ability to omit User-Agent header (#​3703)
  • Adding multiple JSON improvements (#​3688, #​3763)
  • Fixing quadratic runtime and extra memory usage when setting a maxContentLength (#​3738)
  • Adding parseInt to config.timeout (#​3781)
  • Adding custom return type support to interceptor (#​3783)
  • Adding security fix for ReDoS vulnerability (#​3980)
Internal and Tests:
  • Updating build dev dependancies (#​3401)
  • Fixing builds running on Travis CI (#​3538)
  • Updating follow rediect version (#​3694, #​3771)
  • Updating karma sauce launcher to fix failing sauce tests (#​3712, #​3717)
  • Updating content-type header for application/json to not contain charset field, according do RFC 8259 (#​2154)
  • Fixing tests by bumping karma-sauce-launcher version (#​3813)
  • Changing testing process from Travis CI to GitHub Actions (#​3938)
Documentation:
  • Updating documentation around the use of AUTH_TOKEN with multiple domain endpoints (#​3539)
  • Remove duplication of item in changelog (#​3523)
  • Fixing gramatical errors (#​2642)
  • Fixing spelling error (#​3567)
  • Moving gitpod metion (#​2637)
  • Adding new axios documentation website link (#​3681, #​3707)
  • Updating documentation around dispatching requests (#​3772)
  • Adding documentation for the type guard isAxiosError (#​3767)
  • Adding explanation of cancel token (#​3803)
  • Updating CI status badge (#​3953)
  • Fixing errors with JSON documentation (#​3936)
  • Fixing README typo under Request Config (#​3825)
  • Adding axios-multi-api to the ecosystem file (#​3817)
  • Adding SECURITY.md to properly disclose security vulnerabilities (#​3981)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

v0.21.1

Compare Source

Fixes and Functionality:
  • Hotfix: Prevent SSRF (#​3410)
  • Protocol not parsed when setting proxy config from env vars (#​3070)
  • Updating axios in types to be lower case (#​2797)
  • Adding a type guard for AxiosError (#​2949)
Internal and Tests:
  • Remove the skipping of the socket http test (#​3364)
  • Use different socket for Win32 test (#​3375)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

v0.21.0

Compare Source

Fixes and Functionality:
  • Fixing requestHeaders.Authorization (#​3287)
  • Fixing node types (#​3237)
  • Fixing axios.delete ignores config.data (#​3282)
  • Revert "Fixing overwrite Blob/File type as Content-Type in browser. (#​1773)" (#​3289)
  • Fixing an issue that type 'null' and 'undefined' is not assignable to validateStatus when typescript strict option is enabled (#​3200)
Internal and Tests:
  • Lock travis to not use node v15 (#​3361)
Documentation:

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

v0.20.0

Compare Source

Release of 0.20.0-pre as a full release with no other changes.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title Update dependency axios [SECURITY] Update dependency axios to v0.21.2 [SECURITY] Aug 4, 2023
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 694ccd6 to 0d0c482 Compare August 4, 2023 11:21
@renovate renovate bot changed the title Update dependency axios to v0.21.2 [SECURITY] Update dependency axios [SECURITY] Aug 4, 2023
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 0d0c482 to 7f54279 Compare August 4, 2023 12:33
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 7f54279 to 635e997 Compare August 4, 2023 16:35
@renovate renovate bot changed the title Update dependency axios [SECURITY] Update dependency axios to ^0.21.0 [SECURITY] Aug 4, 2023
@renovate
Copy link
Contributor Author

renovate bot commented Aug 4, 2023
edited
Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pils-frontend/package-lock.json
/usr/local/bin/docker: line 4: .: filename argument required
.: usage: . filename [arguments]
[21:25:35.080] INFO (43): Downloading file ...
    url: "https://github.com/containerbase/node-prebuild/releases/download/18.17.0/node-18.17.0-focal-x86_64.tar.xz.sha512"
    output: "/tmp/worker/8d1444/a1eda3/cache/containerbase/4f1b66de1eebc4e832e9ad5a012165a5e79cd3b1c3892eb6646e768a14a95e7c/node-18.17.0-focal-x86_64.tar.xz.sha512"
[21:25:35.120] INFO (43): Download completed  in 40ms.
[21:25:35.235] INFO (59): Downloading file ...
    url: "https://github.com/containerbase/node-prebuild/releases/download/18.17.0/node-18.17.0-focal-x86_64.tar.xz"
    output: "/tmp/worker/8d1444/a1eda3/cache/containerbase/d71155bd68a6dac4a334976c5d82cd47e91bf95aa8811a4ec27c615d8d82df76/node-18.17.0-focal-x86_64.tar.xz"
[21:25:35.443] INFO (59): Download completed  in 208ms.
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: css-loader@3.4.2
npm ERR! Found: webpack@3.12.0
npm ERR! node_modules/webpack
npm ERR!   dev webpack@"3.12.0" from the root project
npm ERR!   peer webpack@">=2" from babel-loader@8.0.6
npm ERR!   node_modules/babel-loader
npm ERR!     dev babel-loader@"^8.0.6" from the root project
npm ERR!   5 more (extract-text-webpack-plugin, ...)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer webpack@"^4.0.0 || ^5.0.0" from css-loader@3.4.2
npm ERR! node_modules/css-loader
npm ERR!   css-loader@"^3.4.2" from the root project
npm ERR!   peer css-loader@"*" from vue-loader@13.7.3
npm ERR!   node_modules/vue-loader
npm ERR!     dev vue-loader@"^13.7.3" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: webpack@5.88.2
npm ERR! node_modules/webpack
npm ERR!   peer webpack@"^4.0.0 || ^5.0.0" from css-loader@3.4.2
npm ERR!   node_modules/css-loader
npm ERR!     css-loader@"^3.4.2" from the root project
npm ERR!     peer css-loader@"*" from vue-loader@13.7.3
npm ERR!     node_modules/vue-loader
npm ERR!       dev vue-loader@"^13.7.3" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! 
npm ERR! For a full report see:
npm ERR! /tmp/worker/8d1444/a1eda3/cache/others/npm/_logs/2023-08-08T21_25_40_071Z-eresolve-report.txt

npm ERR! A complete log of this run can be found in: /tmp/worker/8d1444/a1eda3/cache/others/npm/_logs/2023-08-08T21_25_40_071Z-debug-0.log

@oscrx oscrx force-pushed the main branch 2 times, most recently from 9381ad9 to 08e8e7a Compare August 4, 2023 23:37
@renovate renovate bot changed the title Update dependency axios to ^0.21.0 [SECURITY] Update dependency axios to ^0.21.0 [SECURITY] - autoclosed Aug 4, 2023
@renovate renovate bot closed this Aug 4, 2023
@renovate renovate bot deleted the renovate/npm-axios-vulnerability branch August 4, 2023 23:53
@renovate renovate bot changed the title Update dependency axios to ^0.21.0 [SECURITY] - autoclosed Update dependency axios to ^0.21.0 [SECURITY] Aug 5, 2023
@renovate renovate bot reopened this Aug 5, 2023
@renovate renovate bot restored the renovate/npm-axios-vulnerability branch August 5, 2023 00:10
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 635e997 to e2b6e8b Compare August 5, 2023 00:11
@oscrx oscrx force-pushed the main branch 2 times, most recently from cec1dcc to d30d027 Compare August 5, 2023 00:18
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch 2 times, most recently from 42f3857 to 053bd9d Compare August 5, 2023 01:28
@oscrx oscrx force-pushed the main branch 3 times, most recently from 30c2322 to 255c6ae Compare August 5, 2023 01:48
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch 6 times, most recently from dfc5b14 to f4fd883 Compare August 5, 2023 10:11
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch 5 times, most recently from 09e4781 to 99af5e0 Compare August 7, 2023 03:19
@oscrx oscrx force-pushed the main branch 2 times, most recently from 887a911 to 0984725 Compare August 7, 2023 03:23
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch 8 times, most recently from c521934 to b40faef Compare August 7, 2023 18:20
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch 4 times, most recently from 8e3c60e to e7b7eff Compare August 8, 2023 21:14
@oscrx oscrx force-pushed the main branch 2 times, most recently from 6c944f9 to d25b3f9 Compare August 8, 2023 21:16
@renovate renovate bot force-pushed the renovate/npm-axios-vulnerability branch from e7b7eff to 92190d9 Compare August 8, 2023 21:25
@sonarcloud
Copy link

sonarcloud bot commented Aug 8, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@renovate renovate bot changed the title Update dependency axios to ^0.21.0 [SECURITY] Update dependency axios to ^0.21.0 [SECURITY] - autoclosed Aug 9, 2023
@renovate renovate bot closed this Aug 9, 2023
@renovate renovate bot deleted the renovate/npm-axios-vulnerability branch August 9, 2023 01:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants