Skip to content

fix(web-api): bump axios to 1.8.3 to address CVE-2025-27152 #2172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zimeg merged 4 commits into from
Mar 13, 2025
Merged

fix(web-api): bump axios to 1.8.3 to address CVE-2025-27152 #2172

zimeg merged 4 commits into from
Mar 13, 2025

Conversation

@zimeg
Copy link
Member

@zimeg zimeg commented Mar 11, 2025
edited
Loading

Summary

This PR updates axios to 1.8.3 to address CVE-2025-27152 - as noted in #2169 🔐

A semver:minor release for axios happened with this change, but AFAICT no other changes are needed. It might be nice to share these changes in a following patch 👀

Requirements

@zimeg zimeg added semver:patch pkg:web-api applies to `@slack/web-api` dependencies Pull requests that update a dependency file labels Mar 11, 2025
@zimeg zimeg added this to the web-api@7.8.1 milestone Mar 11, 2025
@zimeg zimeg self-assigned this Mar 11, 2025
@codecov
Copy link

codecov bot commented Mar 11, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.94%. Comparing base (6618482) to head (da529fe).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2172   +/-   ##
=======================================
  Coverage   91.94%   91.94%           
=======================================
  Files          38       38           
  Lines       10328    10328           
  Branches      652      652           
=======================================
  Hits         9496     9496           
  Misses        820      820           
  Partials       12       12
Flag Coverage Δ
cli-hooks 95.23% <ø> (ø)
cli-test 94.76% <ø> (ø)
oauth 77.39% <ø> (ø)
socket-mode 61.82% <ø> (ø)
web-api 96.88% <ø> (ø)
webhook 96.65% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zimeg zimeg added the security label Mar 11, 2025
@zimeg zimeg changed the title chore(web-api): bump axios to 1.8.2 to address CVE-2025-27152 fix(web-api): bump axios to 1.8.2 to address CVE-2025-27152 Mar 11, 2025
This was referenced Mar 11, 2025
Merged
Merged
hello-ashleyintech
hello-ashleyintech approved these changes Mar 11, 2025
View reviewed changes
Copy link
Contributor

@hello-ashleyintech hello-ashleyintech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 🚀

WilliamBergamin
WilliamBergamin approved these changes Mar 11, 2025
View reviewed changes
Copy link
Contributor

@WilliamBergamin WilliamBergamin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this out locally it works 🚀 but its hard to know what the edge cases may be

@zimeg zimeg changed the title fix(web-api): bump axios to 1.8.2 to address CVE-2025-27152 fix(web-api): bump axios to 1.8.3 to address CVE-2025-27152 Mar 12, 2025
@zimeg
Copy link
Member Author

zimeg commented Mar 12, 2025

@hello-ashleyintech @WilliamBergamin Thank y'all once more for another review! 🚀

I agree that some edges might be caught with these changes, but AFAICT the default behavior should match what's released now.

Follow up to expose the allowAbsoluteUrls option in the WebClient constructor seems useful for some cases, so I'll check this out before continuing with a release 🫡

@zimeg zimeg merged commit ddbf17a into main Mar 13, 2025
57 checks passed
@zimeg zimeg deleted the chore-web-api-axios-1.8.2 branch March 13, 2025 00:59
@zimeg
Copy link
Member Author

zimeg commented Mar 20, 2025

📝 This was included in the @slack/web-api@7.9.0 release, so I'll update the milestone to match this.

@zimeg zimeg modified the milestones: web-api@7.8.1, web-api@7.9.0 Mar 20, 2025
This was referenced Mar 20, 2025
Merged
Merged
Merged
Closed
This was referenced Mar 26, 2025
Merged
Merged
Merged
@ajschmidt8 ajschmidt8 mentioned this pull request Apr 21, 2025
Closed
7 tasks
@smartinio smartinio mentioned this pull request Apr 24, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hello-ashleyintech hello-ashleyintech hello-ashleyintech approved these changes

@WilliamBergamin WilliamBergamin WilliamBergamin approved these changes

@cchensh cchensh Awaiting requested review from cchensh

Assignees

@zimeg zimeg

Labels

dependencies Pull requests that update a dependency file pkg:web-api applies to `@slack/web-api` security semver:patch

Projects

None yet

Milestone

web-api@7.9.0

Development

Successfully merging this pull request may close these issues.

4 participants

@zimeg @hello-ashleyintech @WilliamBergamin