apisauce icon indicating copy to clipboard operation
apisauce copied to clipboard

Published 20 hours ago verified publisher icon infinitered

fix(deps): upgrade axios and typescript

Open jeremyadavis opened this issue 2 years ago • 7 comments

This fixes vulnerabilities in the axios library: CVE-2022-0155 and CVE-2022-0536.

There are a couple of things to consider if this PR is worth merging:

  • There are a few breaking changes in axios along the way from 0.21.4 to 0.26.1
  • Axios used the AbortController type from the DOM library and now doesn't. The upgrade broke a type and the fix was to add "dom" to the tsconfig. Really not sure if that is the correct work around or not.
  • The upgrade needed the Omit utility type which wasn't added until 3.5.1, so I had to upgrade the typescript dependency TBH, I don't understand why the tsconfig doesn't exclude node_modules, so maybe that's the better approach unless I'm missing something.

I tested this locally with my company's iOS and Android app and saw no issues. I did not test on the web.

Fixes: #287

jeremyadavis avatar Mar 09 '22 23:03 jeremyadavis

I uncovered an issue with this upgrade and multi-part/form-data:

There is a hack to get around it, but the official fix isn't merged yet so I'm going to undo my usage of the axios upgrade until an official fix is available.

I'll try to remember to update the PR when fixed.

jeremyadavis avatar Mar 11 '22 17:03 jeremyadavis

Thanks @jeremyadavis for the PR

chakrihacker avatar Mar 15 '22 02:03 chakrihacker

@jeremyadavis you should try bumping the version of axios to 0.27.2 per this comment in one of the issues you mentioned.

noah-eigenfeld avatar May 12 '22 20:05 noah-eigenfeld

I upgrade axios to 0.27.2 I confirmed that it does fix the issue with the multipart/form-data was broken using my company's React Native app.

Notably, axios 0.27.0 had refactored their error handling which broke a couple of tests that had expected null responses, that now have explicit error strings.

jeremyadavis avatar May 13 '22 21:05 jeremyadavis

Any update on this one ? thank you !

tgensol avatar Jun 27 '22 14:06 tgensol

Could someone please merge and release this? It has been months since it was opened.

florinvasilevilsan avatar Jun 28 '22 08:06 florinvasilevilsan

@infinitered-circleci @jamonholmgren Any update on this?

Thank you

hariks-mm avatar Sep 06 '22 09:09 hariks-mm

What's the status on this?

TheWirv avatar Oct 13 '22 10:10 TheWirv

Any chance this could be merged and released? Perhaps labeled as beta for a while?

eithe avatar Nov 28 '22 08:11 eithe

Any update ?

nazrdogan avatar Dec 22 '22 13:12 nazrdogan

When this PR can be merged? upgrading axios lib version will fix CVE-2022-0155 and CVE-2022-0536.

pgodha avatar Jan 11 '23 07:01 pgodha

@infinitered-circleci any one can merge this? thanks

surethink avatar Jan 23 '23 12:01 surethink

Pretty please @jamonholmgren, is anyone on your team able to merge this? Or should we move on from apisauce? That's ok, but would be good to know.

eithe avatar Feb 21 '23 15:02 eithe

Hey folks, I'll take a look at this. Kinda slipped off my radar. Not enough people tagged me :joy:

jamonholmgren avatar Mar 08 '23 03:03 jamonholmgren

:tada: This PR is included in version 3.0.0 :tada:

The release is available on:

Your semantic-release bot :package::rocket:

infinitered-circleci avatar Mar 08 '23 23:03 infinitered-circleci

@jeremyadavis Thanks a ton for sending in this PR, and for your patience.

We've been focusing on Ignite and Reactotron lately, but apisauce is on our list to revive at some point.

jamonholmgren avatar Mar 09 '23 02:03 jamonholmgren