twilio / twilio-node

Node.js helper library

MIT License

1.37k stars 495 forks source link

chore: Upgrade axios to version 1.6.8 #993

Closed robertbagge closed 3 months ago

robertbagge commented 5 months ago

Fixes

That versions patches follow-redirects package to a version that does not have the following vulnerability - https://github.com/follow-redirects/follow-redirects/issues/235

Checklist

[x] I acknowledge that all my contributions will be made under the project's license
[ n/a] I have made a material change to the repo (functionality, testing, spelling, grammar)
[ X] I have read the Contribution Guidelines and my PR follows them
[ X] I have titled the PR appropriately
[ X] I have updated my branch with the main branch
[ n/a] I have added tests that prove my fix is effective or that my feature works
[ n/a] I have added the necessary documentation about the functionality in the appropriate .md file
[ n/a] I have added inline documentation to the code I modified

tiwarishubham635 commented 3 months ago

I think we can push to use 1.6.8 and above, right?

robertbagge commented 3 months ago

I think we can push to use 1.6.8 and above, right?

Definitely. 1.6.5 was the latest release when this PR was created in Jan.

tiwarishubham635 commented 3 months ago

I think we can push to use 1.6.8 and above, right?

Definitely. 1.6.5 was the latest release when this PR was created in Jan.

Can you please update it in the PR? I can merge it. Thanks!

robertbagge commented 3 months ago

I think we can push to use 1.6.8 and above, right?

Definitely. 1.6.5 was the latest release when this PR was created in Jan.

Can you please update it in the PR? I can merge it. Thanks!

Done.

Unrelated. We found out about this vulnerability when running dependabot. The entire Twilio SDK ecosystem is full of outdated packages with vulnerabilities. Could work around most of them by manually patching, but it'd be great to see Twilio adopt something like dependabot as well to keep up to date with latest security practices.

tiwarishubham635 commented 3 months ago

I think we can push to use 1.6.8 and above, right?

Definitely. 1.6.5 was the latest release when this PR was created in Jan.

Can you please update it in the PR? I can merge it. Thanks!

Done.

Unrelated. We found out about this vulnerability when running dependabot. The entire Twilio SDK ecosystem is full of outdated packages with vulnerabilities. Could work around most of them by manually patching, but it'd be great to see Twilio adopt something like dependabot as well to keep up to date with latest security practices.

Hmmm, we do have dependabot for some repositories. Let me see if I can add one here. Thanks!