Upgrade Axios in JS sdk

tkjwa commented 8 months ago

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[X] I have joined the Ory Community Slack.
[X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Currently the JS sdk uses axios v0.27.2 which was released more than 2 years ago, current version is 1.6.2

Some types are not compatible between the 2 versions, so the following code will throw some compilation errors:

const session: AxiosResponse<Session, any> =
  await this.ory_sdk_frontend.toSession({
    cookie: `${this.options.cookie_name}=${cookie_content}`,
});

the compilation error:

The types of config.headers are incompatible between these types. Type 'import("/.../node_modules/@ory/client/node_modules/axios/index").AxiosRequestHeaders' is not assignable to type 'import("/.../node_modules/axios/index").AxiosRequestHeaders'. Type AxiosRequestHeaders is missing the following properties from type AxiosHeaders : set, get, has, delete , and 23 more.

from 0.27.2

export type AxiosRequestHeaders = Record<string, string | number | boolean>;

from 1.6

export type AxiosRequestHeaders = RawAxiosRequestHeaders & AxiosHeaders;

Describe your ideal solution

Upgrade the axios version used by the sdk to the current version

Workarounds or alternatives

use a type assertion with unknown a make the compiler happy

const session = this.sdk.toSession() as unknown as AxiosReponse<Session>

Version

ory sdk v1.4.0

Additional Context

No response

amirzahavi commented 8 months ago

Also according to Snyk, axios version 0.27.2 have a high-severity security issue: https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

please upgrade to the latest version so @ory/sdk will not pop up in security scanning tools. Thanks

aeneasr commented 6 months ago

https://github.com/ory/sdk/issues/289#issuecomment-1880713108

SiebelsTim commented 6 months ago

Seem like @ory/client still requires an old axios version. https://github.com/ory/sdk/blob/master/clients/client/typescript/package.json#L27

Updating would be a breaking change for users anyway, wouldn't it?

Oscmage commented 6 months ago

@SiebelsTim In 1.5.2 version of the client it uses a new version of axios.

ory / sdk