Skip to content

Comments

chore(deps): bump axios to 1.8.3 to address CVE-2025-27152#2453

Merged
zimeg merged 2 commits intomainfrom
chore-axios-1.8.2
Mar 14, 2025
Merged

chore(deps): bump axios to 1.8.3 to address CVE-2025-27152#2453
zimeg merged 2 commits intomainfrom
chore-axios-1.8.2

Conversation

@zimeg
Copy link
Member

@zimeg zimeg commented Mar 11, 2025
edited
Loading

Summary

This PR updates axios to 1.8.3 to address CVE-2025-27152 - as noted in slackapi/node-slack-sdk#2169 🔐

Notes

A semver:minor release for axios happened with this change, but AFAICT no other changes are needed. It might be nice to share these changes in a following patch 👀

Also, axios is also a dependency of @slack/web-api which has a similar PR in slackapi/node-slack-sdk#2172 that might be worth including in the related @slack/bolt release?

Requirements

@zimeg zimeg added security semver:patch dependencies Pull requests that update a dependency file labels Mar 11, 2025
@zimeg zimeg added this to the 4.2.2 milestone Mar 11, 2025
@zimeg zimeg self-assigned this Mar 11, 2025
@codecov
Copy link

codecov bot commented Mar 11, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.59%. Comparing base (935151c) to head (ad0c043).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2453   +/-   ##
=======================================
  Coverage   92.59%   92.59%           
=======================================
  Files          36       36           
  Lines        7472     7472           
  Branches      653      653           
=======================================
  Hits         6919     6919           
  Misses        545      545           
  Partials        8        8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

hello-ashleyintech
hello-ashleyintech approved these changes Mar 11, 2025
View reviewed changes
Copy link
Contributor

@hello-ashleyintech hello-ashleyintech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

@zimeg zimeg changed the title chore(deps): bump axios to 1.8.2 to address CVE-2025-27152 chore(deps): bump axios to 1.8.3 to address CVE-2025-27152 Mar 14, 2025
@zimeg
Copy link
Member Author

zimeg commented Mar 14, 2025

@hello-ashleyintech @WilliamBergamin Thank y'all both for the reviews! I revisited this to bump axios to the 1.8.3 release for the related TypeScript fixes just now 🚀

This matches slackapi/node-slack-sdk#2172 and slackapi/node-slack-sdk#2173 but I think holding off on releasing this until @slack/web-api and related packages are all patched might be best 🫡

@zimeg zimeg merged commit 9da05b8 into main Mar 14, 2025
18 checks passed
@zimeg zimeg deleted the chore-axios-1.8.2 branch March 14, 2025 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hello-ashleyintech hello-ashleyintech hello-ashleyintech approved these changes

@WilliamBergamin WilliamBergamin WilliamBergamin approved these changes

@cchensh cchensh Awaiting requested review from cchensh

Assignees

@zimeg zimeg

Labels

dependencies Pull requests that update a dependency file security semver:patch

Projects

None yet

Milestone

4.3.0

Development

Successfully merging this pull request may close these issues.

3 participants

@zimeg @hello-ashleyintech @WilliamBergamin