fix: bump axios by leotm · Pull Request #7758 · MetaMask/metamask-mobile

leotm · 2023-11-10T12:58:54Z

Description

Fix CI failing on Improved Yarn Audit step

metamask@7.10.0 /Users/leo/Documents/GitHub/metamask-mobile
├─┬ @consensys/on-ramp-sdk@1.23.0
│ └── axios@0.27.2
├─┬ appium-adb@9.14.11
│ └─┬ @appium/support@4.1.6
│   └── axios@1.4.0
├─┬ appium@1.22.3
│ ├─┬ appium-android-driver@4.54.0
│ │ ├─┬ appium-chromedriver@4.28.0
│ │ │ └── axios@0.27.2
│ │ └── axios@0.27.2
│ ├─┬ appium-base-driver@7.11.3
│ │ └── axios@0.27.2
│ ├─┬ appium-ios-driver@4.8.3
│ │ └── axios@0.27.2
│ ├─┬ appium-mac2-driver@0.14.1
│ │ └── axios@0.27.2
│ ├─┬ appium-support@2.55.0
│ │ └── axios@0.27.2
│ ├─┬ appium-uiautomator2-driver@1.75.0
│ │ └── axios@0.27.2
│ ├─┬ appium-xcuitest-driver@3.62.0
│ │ └─┬ appium-webdriveragent@3.17.0
│ │   └── axios@0.27.2
│ └── axios@0.27.2
├── axios@0.26.1
└─┬ chromedriver@99.0.0
  └── axios@0.24.0

Related issues

CI broken past few hrs on Improved Yarn Audit step
GHSA-wf5p-g6vw-rhxx
chore(deps-dev): bump chromedriver from 99.0.0 to 119.0.1 #7747 worth looking at after

Manual testing steps

yarn audit:ci

Screenshots/Recordings

Before

Vulnerability Found:

  Severity: MODERATE
  Modules: @consensys/on-ramp-sdk>axios, appium-adb>@appium/support>axios, axios
  URL: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

Vulnerability Found:

  Severity: MODERATE
  Modules: @consensys/on-ramp-sdk>axios, appium-adb>@appium/support>axios, axios
  URL: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

Vulnerability Found:

  Severity: MODERATE
  Modules: @consensys/on-ramp-sdk>axios, appium-adb>@appium/support>axios, axios
  URL: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

Vulnerability Found:

  Severity: MODERATE
  Modules: axios
  URL: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

After

➜  metamask-mobile git:(fix/unbreak-ci-audit-fix-CVE-2023-45857) ✗ yarn audit:ci
yarn run v1.22.19
warning ../package.json: No license field
$ ./scripts/yarn-audit.sh
warning ../package.json: No license field
$ /Users/leo/Documents/GitHub/metamask-mobile/node_modules/.bin/improved-yarn-audit --ignore-dev-deps --min-severity moderate --fail-on-missing-exclusions
Improved Yarn Audit - v3.0.0

Reading excluded advisories from .iyarc
Minimum severity level to report: moderate
Excluded Advisories: ["GHSA-p8p7-x288-28g6","GHSA-c2qf-rxjj-qqgw"]

Running yarn audit...

Found 0 vulnerabilities

2 ignored because they are dev dependencies

6 ignored because of advisory exclusions

Run `yarn audit` for more information
✔ Audit shows _zero_ moderate or high severity advisories _in the production dependencies_
✨  Done in 2.32s.

Pre-merge author checklist

Pre-merge reviewer checklist

I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Vulnerability Found: Severity: MODERATE Modules: @consensys/on-ramp-sdk>axios, appium-adb>@appium/support>axios, axios URL: GHSA-wf5p-g6vw-rhxx Vulnerability Found: Severity: MODERATE Modules: @consensys/on-ramp-sdk>axios, appium-adb>@appium/support>axios, axios URL: GHSA-wf5p-g6vw-rhxx Vulnerability Found: Severity: MODERATE Modules: @consensys/on-ramp-sdk>axios, appium-adb>@appium/support>axios, axios URL: GHSA-wf5p-g6vw-rhxx

Vulnerability Found: Severity: MODERATE Modules: axios URL: GHSA-wf5p-g6vw-rhxx

github-actions · 2023-11-10T12:59:07Z

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

leotm

consider v1.6.1, spotted in

#7747

https://github.com/axios/axios/releases/tag/v1.6.1

socket-security · 2023-11-10T13:04:07Z

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
axios	0.26.1...1.6.0	network	`+0/-0`	1.79 MB	jasonsaayman

socket-security · 2023-11-10T13:04:10Z

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: axios@1.6.0

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

leotm · 2023-11-10T13:05:57Z

@SocketSecurity ignore axios@1.6.0

network access expected

Promise based HTTP client for the browser and node.js

sonarqubecloud · 2023-11-10T13:15:03Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

codecov-commenter · 2023-11-10T13:15:10Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (e821b6e) 35.10% compared to head (1e0aacb) 35.10%.
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7758   +/-   ##
=======================================
  Coverage   35.10%   35.10%           
=======================================
  Files        1039     1039           
  Lines       27619    27619           
  Branches     2336     2336           
=======================================
  Hits         9695     9695           
  Misses      17401    17401           
  Partials      523      523

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

github-actions · 2023-11-10T13:21:43Z

E2E test started on Bitrise: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/9347946f-db7b-4146-8078-f5b342539d43
You can also kick off another Bitrise E2E smoke test by removing and re-applying the (Run Smoke E2E) label

leotm · 2023-11-10T13:55:19Z

E2E test started on Bitrise: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/9347946f-db7b-4146-8078-f5b342539d43 You can also kick off another Bitrise E2E smoke test by removing and re-applying the (Run Smoke E2E) label

✅ ios_e2e_test

✅ android_e2e_test

Andepande

LG

tommasini

LGTM, do we test the on ramp on the release testing @Andepande ? it would be good to check it since we are doing a major upgrade version on axios, since it is used by them

leotm · 2023-11-10T14:40:54Z

merged after discussions ^ we can follow-up on comments if agreed later to

fix: bump axios #7758 (comment)
- unpin/loosen the dep/res vers cc @legobeat
fix: bump axios #7758 (review)
- bump to v1.6.1
fix: bump axios #7758 (review)
- now bump chore(deps-dev): bump chromedriver from 99.0.0 to 119.0.1 #7747

## **Description** - Updates the documentation and `js.env.example` file with the new variable `METAMASK_ENVIRONMENT`. - Adds a small note on the `README.md` with instructions for updating envars ## **Related issues** Fixes: # ## **Manual testing steps** Not applicable ## **Screenshots/Recordings** ### **Before** Not applicable ### **After** Not applicable ## **Pre-merge author checklist** - [x] I’ve followed [MetaMask Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've clearly explained what problem this PR is solving and how it is solved. - [ ] I've linked related issues - [ ] I've included manual testing steps - [ ] I've included screenshots/recordings if applicable - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [x] I’ve properly set the pull request status: - [x] In case it's not yet "ready for review", I've set it to "draft". - [x] In case it's "ready for review", I've changed it from "draft" to "non-draft". ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

leotm added 2 commits November 10, 2023 12:53

Fix axios vulnerability

1e0aacb

Vulnerability Found: Severity: MODERATE Modules: axios URL: GHSA-wf5p-g6vw-rhxx

leotm requested a review from a team as a code owner November 10, 2023 12:58