Binary install update for axios security vulnerability.

[simlay]

Closes #958. Co-PR to #973.

Based on #973 (review), I've ran node run.js and verified that this works.

If we'd like, I'm down to add a test subcrate that's runs node run.js build to actually run the full build. Thoughts?

Make sure these boxes are checked! 📦✅

• You have the latest version of rustfmt installed

$ rustup component add rustfmt

• You ran cargo fmt on the code base before submitting
• You reference which issue is being closed in the PR text

✨✨ 😄 Thanks so much for contributing to wasm-pack! 😄 ✨✨

[Keavon]

Thanks for this! I will email @ashleygwilliams since hopefully she just has GitHub notifications disabled but hasn't fallen off the face of the earth.

Edit: done, email sent. It probably won't hurt to tweet at her also, the Twitter handle is listed on her GitHub profile. I'll report back if I hear nothing in a few days.

[Keavon]

Do we also want to update the version number to 0.9.2? I believe (some or all of) these are the relevant files?:

• Cargo.lock:2284
• Cargo.toml:4
• CHANGELOG.md (add a section indicating the bumped binary-install version)
• docs\index.html:45 and :47
• npm\package.json:3
• npm\package-lock.json (but you aren't supposed to hand-edit this file, does this perhaps get updated by running npm update or npm install after making the other changes?)

[Keavon]

Hmm, what about these test failures?

[simlay]

Hmm, what about these test failures?

I'm pretty sure this is fixed in #983.

[Keavon]

I see, so we would need to merge that one before this one?

[simlay]

I see, so we would need to merge that one before this one?

There have been a couple of PRs to help clean up CI. I think fixing CI is outside the scope of this security fix.

[Keavon]

Ok, so that would mean we just merge even though CI is failing, correct? In other words, CI would fail if it were run on the current state of the master branch?

[simlay]

Ok, so that would mean we just merge even though CI is failing, correct? In other words, CI would fail if it were run on the current state of the master branch?

It seems that way. The only PR since December to "pass" ci was #983 it seems. If whoever has merge and publish access to this repo wants CI to pass for this PR, I'm fine with fixing it but I'm not gonna look much more into it without someone showing up.

[drager]

Thanks a lot!