New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: resolve CVE-2023-45857 in v0.x
branch
#6091
Conversation
Hey @lnjbr, If relevant, check out our GitHub repo if you wish to learn more, or start using our app. Please feel free to reach us at info@seal.security if you have any requests/questions. |
Is there a release schedule which might indicate when this vulnerability fix will be released? |
@jasonsaayman @DigitalBrainJS sorry for the direct ping, but curious if this vulnerability will be addressed in 0.x? |
No probs yes I am very certain we should be fixing it in there too, will try get this out asap |
can we check the failing tests? @lnjbr |
Yup! All set and ready for the workflows to be re-ran 🙇 |
@jasonsaayman can the CI be re-ran here? |
How do we trigger the CI here, and assuming green builds, what is the release cadence to main branch? Hoping to get some understand of times to assist with planning. |
as a security feature, axios maintiainers have configured the repository to only run CI when they manually kick if off. It's a tactic to ensure forks do not introduce malicious code or try to steal secrets within GH Actions, for example
this is correctly targetting the |
Thanks for the info and running the CI! Much appreciated to get that feedback 👏 When I said main branch release cadence, what I probably should have asked is: "when will the changes be merged and released into their respective branch?", e.g. weekly release on a Monday to the targeted version, or ad hoc, or when certain thresholds are met |
Is there a reason for the workflow to be running TL;DR: Can I change the install command to |
@lnjbr Well, this is an old major branch, no one did CI backports from the 1.x branch... |
that looks like permission to change it if you ask me? |
@jasonsaayman can you please re-run the CI again? |
Validated that CI for the branch is passing in my repo after replacing |
@DigitalBrainJS can you please re-run the CI here? |
bump! |
The PR will be released a bit later, because in the |
@DigitalBrainJS any update on the release of this? |
Fixes #6090
Used solutions from #6028 and #6046 to resolve the CVE-2023-45857 vulnerability in Axios
0.x
Breaking change:
axios('http://example.com/')
will no longer set an XSRF token by default. To maintain old behavior, a truthy value forwithXSRFToken
must be passed. i.e.axios('http://example.com/')
would need to be changed to something akin to: