search

lob / lob-typescript-sdk

MIT License
10 stars 7 forks source link

bumped axios version, ran npm install, pushing updates up #275

Closed stbarillas closed 6 months ago

stbarillas commented 10 months ago

Description

Small PR Bumping Axios version to address vulnerability

Verify

guardrails[bot] commented 10 months ago

:warning: We detected 5 security issues in this pull request:

Vulnerable Libraries (5)
Severity | Details :-: | :-- Medium | [pkg:npm/ts-jest@27.1.5](https://github.com/lob/lob-typescript-sdk/blob/4cea6cf14963dbac46030e6bb41ff0eea405f934/package.json) (t) upgrade to: *> 27.1.5* High | [pkg:npm/semantic-release@19.0.3](https://github.com/lob/lob-typescript-sdk/blob/4cea6cf14963dbac46030e6bb41ff0eea405f934/package.json) (t) upgrade to: *> 19.0.3* Medium | [pkg:npm/@slack/web-api@6.7.1](https://github.com/lob/lob-typescript-sdk/blob/4cea6cf14963dbac46030e6bb41ff0eea405f934/package.json) (t) upgrade to: *> 6.7.1* High | [pkg:npm/@semantic-release/npm@9.0.1](https://github.com/lob/lob-typescript-sdk/blob/4cea6cf14963dbac46030e6bb41ff0eea405f934/package.json) (t) upgrade to: *> 9.0.1* High | [pkg:npm/@commitlint/cli@16.2.3](https://github.com/lob/lob-typescript-sdk/blob/4cea6cf14963dbac46030e6bb41ff0eea405f934/package.json) (t) upgrade to: *> 16.2.3* More info on how to fix Vulnerable Libraries in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/using_vulnerable_libraries.html?utm_source=ghpr).

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

stbarillas commented 10 months ago

@bamohan , I don't have a lob api key to run tests locally. Could you help me verify that tests are still passing?

Also, the security issues found by guardrails are for dev dependencies. Could these be overlooked for this PR?

comp615 commented 8 months ago

@bamohan @ronakshahlob Heya, I did an update to Steve's patch here. Due to how Axios changed packaging with cjs, Jest 27 is not able to understand that. We could add a hack/exception, but the easier solution is to just update that to Jest 29. So I did that and verified that npm test works locally now.

Thanks!

prescottprue commented 7 months ago

Any update here? It would be nice to remove vulnerabilities

comp615 commented 6 months ago

so you were able to test locally, no breaking changes from axios? if yes, good to merge.

I think we should also bump up this package's version from "version": "1.3.3", to 1.3.4

All tests passed; we used the update in our code as well with no issues, however that's not to say we exercise all the functionality but seemed ok.

Feel free to bump the version as appropriate after merging so you can release :)

QuentinLemCode commented 6 months ago

Hello @stbarillas @amaan-lob @BennyKitchell Can you merge this PR, please? The axios version of this package raises a security issue on our repo

multigl commented 6 months ago

also requesting this, axios is showing up in our vulnerability scans from @lob/lob-typescript-sdk

juanfriss commented 6 months ago

I will publish 1.3.4 in https://github.com/lob/lob-typescript-sdk/pull/277 and publish the new version shortly.

juanfriss commented 6 months ago

ended up publishing version 1.3.5