Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: RN-1112: bump axios to ≥0.28 #5493

Merged
merged 11 commits into from
Apr 11, 2024
Merged

deps: RN-1112: bump axios to ≥0.28 #5493

merged 11 commits into from
Apr 11, 2024

Conversation

jaskfla
Copy link
Contributor

@jaskfla jaskfla commented Mar 10, 2024
edited
Loading

Issue RN-1112: Bump axios to ≥0.28

Changes

This PR supersedes the #5489 Dependabot PR of high severity, though does not resolve all current Dependabot alerts related to axios vulnerabilities in all packages. In particular, the Cross-Site Request Forgery Vulnerability patch requires ≥1.6.0, but this breaks a few PSSS tests. Hence upgrading PSSS just to 0.28, which resolves 3 of the 4 Dependabot alerts.

For PSSS: Changelog shows a handful of backports from 1.x versions of axios, but seems to be additions not breaking changes.

For others: Couple deprecations from the 1.0.0 release, but tests passing with 1.6.7.

This PR supersedes the #5489 Dependabot PR, which resolves four alerts including one of high severity.

There are a couple deprecations from the 1.0.0 release, but tests are passing with 1.6.8. Unrelated to the deprecations, the 1.0.0 also switched from using CommonJS to ECMAScript, which has caused an issue with Jest. For us, this affects only PSSS. I’ve used a workaround that seems to appear all over StackOverflow and Axios’s GitHub discussions.

@jaskfla jaskfla marked this pull request as ready for review March 10, 2024 22:33
@jaskfla jaskfla changed the title RN-1112: Bump axios to 0.28 RN-1112: Bump axios to ≥0.28 Mar 10, 2024
@jaskfla jaskfla mentioned this pull request Mar 10, 2024
Closed
@jaskfla jaskfla added the dependencies Pull requests that update a dependency file label Mar 14, 2024
@jaskfla jaskfla requested a review from alexd-bes March 28, 2024 02:53
@jaskfla jaskfla changed the title RN-1112: Bump axios to ≥0.28 deps: RN-1112: bump axios to ≥0.28 Apr 2, 2024
alexd-bes
alexd-bes approved these changes Apr 11, 2024
View reviewed changes
Copy link
Contributor

@alexd-bes alexd-bes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@jaskfla jaskfla merged commit 7e454c0 into dev Apr 11, 2024
43 checks passed
@jaskfla jaskfla deleted the rn-1112-bump-axios branch April 11, 2024 02:14
jaskfla added a commit that referenced this pull request Apr 11, 2024
@jaskfla
Revert "deps: RN-1112: bump axios to ≥0.28 (#5493)"
9cc7630 
This reverts commit 7e454c0.
This was referenced Apr 11, 2024
Closed
Closed
@rohan-bes rohan-bes mentioned this pull request Apr 22, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexd-bes alexd-bes alexd-bes approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jaskfla @alexd-bes