Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Dashboard dependency on Axios #3625

Merged
merged 1 commit into from
Sep 25, 2024
Merged

Update Dashboard dependency on Axios #3625

merged 1 commit into from
Sep 25, 2024

Conversation

webbnh
Copy link
Member

@webbnh webbnh commented Sep 25, 2024

After ten months, I finally got tired of the Dependabot warnings, so here's a PR to update the Dashboard's dependency on axios to at least the version which addresses CVE-2023-45857. (See also the GitHub advisory.)

I assume (boldly) that when we actually build the Dashboard, we pull a safe version of axios (since the package.json file is specifying only the minimum -- not the "locked" -- version), so I don't think this issue actually affects us (and, even if it did, we run the Dashboard in limited quantities in what I think is a safe environment...), so I didn't bother to actually test this change. (For me, the definition of "working" will be the absence of Dependabot warnings....)

@webbnh webbnh self-assigned this Sep 25, 2024
@webbnh webbnh added Dashboard Of and relating to the Dashboard GUI packaging Issues related to software packaging Operations Related to operation and monitoring of a service labels Sep 25, 2024
dbutenhof
dbutenhof approved these changes Sep 25, 2024
View reviewed changes
Copy link
Member

@dbutenhof dbutenhof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, in theory, I think both ^0.26.1 and ^0.28.0 should resolve to "the latest 0.*" version and we're just keeping it from bumping to the (theoretically incompatible) "1.0". In practice, both JavaScript and Python packages have a less than reliable reputation with regard to compatibility even across minor patch versions; but I also agree that at this point dumping the Dependabot warnings is a great goal and if anyone does need to build a new dashboard package they can worry about it then if there's a problem. 😁

@webbnh

This comment was marked as resolved.

Sign in to view
@webbnh

This comment was marked as resolved.

Sign in to view
@webbnh
Update Dashboard dependency on Axios
d23985c 
Addresses CVE-2023-45857 (and makes Dependabot shut up).
@webbnh webbnh merged commit 013bccb into distributed-system-analysis:main Sep 25, 2024
4 checks passed
@webbnh webbnh deleted the axios-update branch September 25, 2024 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dbutenhof dbutenhof dbutenhof approved these changes

@MVarshini MVarshini Awaiting requested review from MVarshini

Assignees

@webbnh webbnh

Labels
Dashboard Of and relating to the Dashboard GUI Operations Related to operation and monitoring of a service packaging Issues related to software packaging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@webbnh @dbutenhof