Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: follow-redirects Component Governance vulnerability #4071

Merged
merged 3 commits into from
Jan 31, 2022
Merged

fix: follow-redirects Component Governance vulnerability #4071

merged 3 commits into from
Jan 31, 2022

Conversation

BruceHaley
Copy link
Contributor

@BruceHaley BruceHaley commented Jan 21, 2022
edited
Loading

Fixes #minor

Description

Fixes the high severity follow-redirects vulnerability listed in these 2 CG alerts:
https://fuselabs.visualstudio.com/SDK_v4/_componentGovernance/112352/alert/6373557?typeId=10422422
https://fuselabs.visualstudio.com/SDK_v4/_componentGovernance/112352/alert/6373574?typeId=10422422

Vulnerability: follow-redirects 1.5.10
-- Recommendation: Upgrade follow-redirects from 1.5.10 to 1.14.7
Vulnerability: follow-redirects 1.14.4
-- Recommendation: Upgrade follow-redirects from 1.14.4 to 1.14.7

The initial follow-redirects dependency tree looked like this:

C:\src\botbuilder-js>npm ls follow-redirects
botbuilder-js@4.13.0 C:\src\botbuilder-js
`-- @azure/ms-rest-js@1.9.1
  `-- axios@0.21.4
    `-- follow-redirects@1.14.4

I fixed it with the command:
yarn upgrade @azure/ms-rest-js@2.6.0
...resulting in the dependency being eliminated:

C:\src\botbuilder-js>npm ls follow-redirects
botbuilder-js@4.13.0 C:\src\botbuilder-js
`-- (empty)

Testing

I tested the fix in these 4 Sample-Js E2E test runs:
Sample-Js-CoreBot-Linux-Test-yaml
Sample-Js-CoreBot-Win-Test-yaml
Sample-Js-EchoBot-Linux-Test-yaml
Sample-Js-EchoBot-Win-Test-yaml

@coveralls
Copy link

coveralls commented Jan 21, 2022
edited
Loading

Pull Request Test Coverage Report for Build 1775283574

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.003%) to 84.546%
Totals Coverage Status
Change from base Build 1775183583: -0.003%
Covered Lines: 19668
Relevant Lines: 22036
💛 - Coveralls

@BruceHaley BruceHaley changed the title Fix follow-redirects Component Governance vulnerability fix: follow-redirects Component Governance vulnerability Jan 21, 2022
@BruceHaley BruceHaley marked this pull request as ready for review January 24, 2022 18:12
@BruceHaley BruceHaley requested a review from a team as a code owner January 24, 2022 18:12
@BruceHaley BruceHaley added the Area: Engineering Internal issues that are related to improving code quality, refactorings, code cleanup, etc. label Jan 24, 2022
@mrivera-ms mrivera-ms merged commit 37536ee into main Jan 31, 2022
@mrivera-ms mrivera-ms deleted the bruce/cgalertfix1-21 branch January 31, 2022 23:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrivera-ms mrivera-ms mrivera-ms approved these changes

@joshgummersall joshgummersall joshgummersall approved these changes

@munozemilio munozemilio Awaiting requested review from munozemilio

Assignees
No one assigned
Labels
Area: Engineering Internal issues that are related to improving code quality, refactorings, code cleanup, etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@BruceHaley @coveralls @joshgummersall @mrivera-ms