Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: follow-redirects Component Governance vulnerability #4071

Merged
merged 3 commits into from
Jan 31, 2022

Conversation

BruceHaley
Copy link
Contributor

@BruceHaley BruceHaley commented Jan 21, 2022

Fixes #minor

Description

Fixes the high severity follow-redirects vulnerability listed in these 2 CG alerts:
https://fuselabs.visualstudio.com/SDK_v4/_componentGovernance/112352/alert/6373557?typeId=10422422
https://fuselabs.visualstudio.com/SDK_v4/_componentGovernance/112352/alert/6373574?typeId=10422422

Vulnerability: follow-redirects 1.5.10
-- Recommendation: Upgrade follow-redirects from 1.5.10 to 1.14.7
Vulnerability: follow-redirects 1.14.4
-- Recommendation: Upgrade follow-redirects from 1.14.4 to 1.14.7

The initial follow-redirects dependency tree looked like this:

C:\src\botbuilder-js>npm ls follow-redirects
[email protected] C:\src\botbuilder-js
`-- @azure/[email protected]
  `-- [email protected]
    `-- [email protected]

I fixed it with the command:
yarn upgrade @azure/[email protected]
...resulting in the dependency being eliminated:

C:\src\botbuilder-js>npm ls follow-redirects
[email protected] C:\src\botbuilder-js
`-- (empty)

Testing

I tested the fix in these 4 Sample-Js E2E test runs:
Sample-Js-CoreBot-Linux-Test-yaml
Sample-Js-CoreBot-Win-Test-yaml
Sample-Js-EchoBot-Linux-Test-yaml
Sample-Js-EchoBot-Win-Test-yaml

@coveralls
Copy link

coveralls commented Jan 21, 2022

Pull Request Test Coverage Report for Build 1775283574

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.003%) to 84.546%

Totals Coverage Status
Change from base Build 1775183583: -0.003%
Covered Lines: 19668
Relevant Lines: 22036

💛 - Coveralls

@BruceHaley BruceHaley changed the title Fix follow-redirects Component Governance vulnerability fix: follow-redirects Component Governance vulnerability Jan 21, 2022
@BruceHaley BruceHaley marked this pull request as ready for review January 24, 2022 18:12
@BruceHaley BruceHaley requested a review from a team as a code owner January 24, 2022 18:12
@BruceHaley BruceHaley added the Area: Engineering Internal issues that are related to improving code quality, refactorings, code cleanup, etc. label Jan 24, 2022
@mrivera-ms mrivera-ms merged commit 37536ee into main Jan 31, 2022
@mrivera-ms mrivera-ms deleted the bruce/cgalertfix1-21 branch January 31, 2022 23:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Engineering Internal issues that are related to improving code quality, refactorings, code cleanup, etc.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants