From 9b1b26f8fab47d2ff84881b250d0eb7ea20e0324 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 28 Oct 2023 03:18:15 +0000 Subject: [PATCH 1/2] fix: package.json & yarn.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-6032459 --- package.json | 3 ++- yarn.lock | 14 ++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index c707cb3b2f2..acd74cefb34 100644 --- a/package.json +++ b/package.json @@ -120,7 +120,8 @@ "@zwave-js/winston-daily-rotate-file": "^4.5.6-1", "ansi_up": "^6.0.2", "archiver": "^6.0.1", - "axios": "^1.5.1", + "axios": "^1.6.0", + "axios-progress-bar": "^1.2.0", "connect-history-api-fallback": "2.0.0", "cookie-parser": "^1.4.6", "cors": "^2.8.5", diff --git a/yarn.lock b/yarn.lock index df24cecd3d7..62c80fb65d6 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3798,6 +3798,15 @@ __metadata: languageName: node linkType: hard +"axios-progress-bar@npm:^1.2.0": + version: 1.2.0 + resolution: "axios-progress-bar@npm:1.2.0" + peerDependencies: + axios: 0.x + checksum: b0ef52ed5649ef4efe0e50f8bddc920b9d38dfafe59417db5062a7ee2c92d18811776e89c9b132b292b9742d94e7c48d654bfd68cb86410bf93e58ec6e239a47 + languageName: node + linkType: hard + "axios@npm:^0.27.2": version: 0.27.2 resolution: "axios@npm:0.27.2" @@ -3808,7 +3817,7 @@ __metadata: languageName: node linkType: hard -"axios@npm:^1.5.1": +"axios@npm:^1.6.0": version: 1.6.2 resolution: "axios@npm:1.6.2" dependencies: @@ -14306,7 +14315,8 @@ __metadata: "@zwave-js/winston-daily-rotate-file": "npm:^4.5.6-1" ansi_up: "npm:^6.0.2" archiver: "npm:^6.0.1" - axios: "npm:^1.5.1" + axios: "npm:^1.6.0" + axios-progress-bar: "npm:^1.2.0" c8: "npm:^8.0.1" chai: "npm:^4.3.10" chai-as-promised: "npm:^7.1.1" From 617e6ce3ae533de03cb164e48e85aaccc7ee83c0 Mon Sep 17 00:00:00 2001 From: Chris Nesbitt-Smith Date: Mon, 27 Nov 2023 18:47:02 +0000 Subject: [PATCH 2/2] bump to axios 1.6.2 and use yarn instead of npm prune --- docker/Dockerfile | 3 +-- package.json | 2 +- yarn.lock | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index ca8c0f1b0b8..62fada6d354 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -39,9 +39,8 @@ RUN npm_config_build_from_source=true npm rebuild @serialport/bindings-cpp # Build back and frontend only when not existing RUN [ -d 'dist' ] && echo "Skipping build" || npm run build -RUN npm prune --production && \ +RUN yarn workspaces focus --production && \ rm -rf \ - package-lock.json \ build \ package.sh \ src \ diff --git a/package.json b/package.json index acd74cefb34..12ecaf79256 100644 --- a/package.json +++ b/package.json @@ -120,7 +120,7 @@ "@zwave-js/winston-daily-rotate-file": "^4.5.6-1", "ansi_up": "^6.0.2", "archiver": "^6.0.1", - "axios": "^1.6.0", + "axios": "^1.6.2", "axios-progress-bar": "^1.2.0", "connect-history-api-fallback": "2.0.0", "cookie-parser": "^1.4.6", diff --git a/yarn.lock b/yarn.lock index 62c80fb65d6..540c76dabbe 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3817,7 +3817,7 @@ __metadata: languageName: node linkType: hard -"axios@npm:^1.6.0": +"axios@npm:^1.6.2": version: 1.6.2 resolution: "axios@npm:1.6.2" dependencies: @@ -14315,7 +14315,7 @@ __metadata: "@zwave-js/winston-daily-rotate-file": "npm:^4.5.6-1" ansi_up: "npm:^6.0.2" archiver: "npm:^6.0.1" - axios: "npm:^1.6.0" + axios: "npm:^1.6.2" axios-progress-bar: "npm:^1.2.0" c8: "npm:^8.0.1" chai: "npm:^4.3.10"