Skip to content
This repository has been archived by the owner on Aug 3, 2023. It is now read-only.

update binary-install to avoid vulnerable axios version #1726

Merged
merged 4 commits into from
Feb 2, 2021
Merged

update binary-install to avoid vulnerable axios version #1726

merged 4 commits into from
Feb 2, 2021

Conversation

simonhaenisch
Copy link
Contributor

Fixes

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @cloudflare/wrangler [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @cloudflare/wrangler > binary-install > axios                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

see https://github.com/EverlastingBugstopper/binary-install/releases/tag/v0.1.1

@simonhaenisch simonhaenisch requested a review from a team as a code owner January 13, 2021 12:46
xtuc
xtuc approved these changes Jan 18, 2021
View reviewed changes
Copy link
Member

@xtuc xtuc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

@TrySound
Copy link

TrySound commented Feb 1, 2021

The latest binary-install also smaller
https://packagephobia.com/[email protected]

@simonhaenisch
Copy link
Contributor Author

@xtuc @nataliescottdavidson what's the plan on getting this merged? Any action needed from me?

@xtuc
Copy link
Member

xtuc commented Feb 2, 2021

@simonhaenisch sorry i just noticed that we have a npm-shrinkwrap.json here. could you please update it too?

@simonhaenisch
Copy link
Contributor Author

Ah yup sorry I missed that, cause I did the edit via the Github editor 😅 done

@xtuc xtuc merged commit 9cc044c into cloudflare:master Feb 2, 2021
@simonhaenisch simonhaenisch deleted the patch-1 branch February 2, 2021 11:03
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@xtuc xtuc xtuc approved these changes

@nataliescottdavidson nataliescottdavidson nataliescottdavidson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@simonhaenisch @TrySound @xtuc @nataliescottdavidson