Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2023-45857 npm vulnerability found in audit #3279

Merged
merged 1 commit into from
Nov 14, 2023
Merged

Fix CVE-2023-45857 npm vulnerability found in audit #3279

merged 1 commit into from
Nov 14, 2023

Conversation

s-fairchild
Copy link
Collaborator

Which issue this PR addresses:

GHSA-wf5p-g6vw-rhxx

Fixes

What this PR does / why we need it:

npm audit reported vulnerability CVE-2023-45857 in our Axios version.

Affected versions
>= 0.8.1, < 1.6.0
Patched versions
1.6.0

Test plan for issue:

Unit tests
E2E tests

Is there any documentation that needs to be updated for this PR?

No

@s-fairchild s-fairchild marked this pull request as draft November 10, 2023 18:26
@s-fairchild s-fairchild added the chainsaw Pull requests or issues owned by Team Chainsaw label Nov 10, 2023
@s-fairchild s-fairchild marked this pull request as ready for review November 10, 2023 19:14
bennerv
bennerv previously approved these changes Nov 10, 2023
View reviewed changes
tsatam
tsatam previously approved these changes Nov 10, 2023
View reviewed changes
@AldoFusterTurpin AldoFusterTurpin mentioned this pull request Nov 10, 2023
Closed
SudoBrendan
SudoBrendan previously approved these changes Nov 10, 2023
View reviewed changes
@tsatam
Copy link
Collaborator

tsatam commented Nov 13, 2023

#3282 Dependabot's PR here updates the package.json coordinates for Axios to bump the minimum allowed version to 1.6.0. I think that change should be included in this PR as well (Dependabot's PR won't work for us since it doesn't update our built assets).

@s-fairchild
Copy link
Collaborator Author

s-fairchild commented Nov 14, 2023
edited

#3282 Dependabot's PR here updates the package.json coordinates for Axios to bump the minimum allowed version to 1.6.0. I think that change should be included in this PR as well (Dependabot's PR won't work for us since it doesn't update our built assets).

Thanks, I updated package.json as well.
Although I went with 1.6.1 because that's what npm fix audit updated to.

cadenmarchese
cadenmarchese approved these changes Nov 14, 2023
View reviewed changes
Copy link
Collaborator

@cadenmarchese cadenmarchese left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@bennerv bennerv merged commit ac7cf2f into Azure:master Nov 14, 2023
18 checks passed
ventifus pushed a commit to ventifus/ARO-RP that referenced this pull request Feb 7, 2024
@s-fairchild @ventifus
Fix CVE-2023-45857 npm vulnerability found in audit (Azure#3279)
9cc020b 
GHSA-wf5p-g6vw-rhxx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bennerv bennerv bennerv approved these changes

@tsatam tsatam tsatam approved these changes

@cadenmarchese cadenmarchese cadenmarchese approved these changes

@SudoBrendan SudoBrendan SudoBrendan left review comments

@jewzaam jewzaam Awaiting requested review from jewzaam jewzaam is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@petrkotas petrkotas Awaiting requested review from petrkotas petrkotas is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cblecker cblecker Awaiting requested review from cblecker cblecker is a code owner

@UlrichSchlueter UlrichSchlueter Awaiting requested review from UlrichSchlueter UlrichSchlueter is a code owner

@s-amann s-amann Awaiting requested review from s-amann

@Shivkumar13 Shivkumar13 Awaiting requested review from Shivkumar13

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@anshulvermapatel anshulvermapatel Awaiting requested review from anshulvermapatel anshulvermapatel is a code owner

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig is a code owner

Assignees
No one assigned
Labels
chainsaw Pull requests or issues owned by Team Chainsaw ready-for-review size-small Size small
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@s-fairchild @tsatam @bennerv @SudoBrendan @cadenmarchese