fix: follow-redirects Component Governance vulnerability #4071
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #minor
Description
Fixes the high severity follow-redirects vulnerability listed in these 2 CG alerts:
https://fuselabs.visualstudio.com/SDK_v4/_componentGovernance/112352/alert/6373557?typeId=10422422
https://fuselabs.visualstudio.com/SDK_v4/_componentGovernance/112352/alert/6373574?typeId=10422422
Vulnerability: follow-redirects 1.5.10
-- Recommendation: Upgrade follow-redirects from 1.5.10 to 1.14.7
Vulnerability: follow-redirects 1.14.4
-- Recommendation: Upgrade follow-redirects from 1.14.4 to 1.14.7
The initial follow-redirects dependency tree looked like this:
I fixed it with the command:
yarn upgrade @azure/[email protected]
...resulting in the dependency being eliminated:
Testing
I tested the fix in these 4 Sample-Js E2E test runs:
Sample-Js-CoreBot-Linux-Test-yaml
Sample-Js-CoreBot-Win-Test-yaml
Sample-Js-EchoBot-Linux-Test-yaml
Sample-Js-EchoBot-Win-Test-yaml