Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace yarn resolutions entry for axios security patch with version bump #4637

Merged
merged 2 commits into from
Aug 23, 2024
Merged

Replace yarn resolutions entry for axios security patch with version bump #4637

merged 2 commits into from
Aug 23, 2024

Conversation

MajorLift
Copy link
Contributor

@MajorLift MajorLift commented Aug 23, 2024
edited
Loading

Explanation

  • Removes yarn resolutions entry for axios that pinned it to a version patched for a level high security threat.
  • Resolves security issue by updating axios via a contentful version bump.
    • axios is a transitive dependency of core: @metamask/notification-services-controller > contentful > axios.

References

Changelog

@metamask/notification-services-controller

### Changed

- Bump `contentful` from `^10.3.6` to `^10.15.0` ([#4637](https://github.com/MetaMask/core/pull/4637))

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've highlighted breaking changes using the "BREAKING" category above as appropriate

@MajorLift MajorLift self-assigned this Aug 23, 2024
@MajorLift MajorLift changed the title Remove yarn resolutions entry for axios Replace yarn resolutions entry for axios security patch with version bump Aug 23, 2024
@MajorLift MajorLift marked this pull request as ready for review August 23, 2024 12:32
@MajorLift MajorLift requested a review from a team as a code owner August 23, 2024 12:32
@MajorLift MajorLift requested a review from a team August 23, 2024 18:35
Gudahtt
Gudahtt approved these changes Aug 23, 2024
View reviewed changes
Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@MajorLift MajorLift merged commit cfb51b6 into main Aug 23, 2024
117 checks passed
@MajorLift MajorLift deleted the dependabot-security-alert/bump/axios-1.7.4 branch August 23, 2024 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gudahtt Gudahtt Gudahtt approved these changes

Assignees

@MajorLift MajorLift

Labels
team-wallet-framework
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MajorLift @Gudahtt