Skip to content

Commit

Permalink
Releasing v0.26.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@jasonsaayman
jasonsaayman committed Feb 13, 2022
1 parent 3f842e0 commit c9aca75
Show file tree
Hide file tree
Showing 9 changed files with 32 additions and 24 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.md
View file
@@ -1,5 +1,15 @@
# Changelog

### 0.26.0 (February 13, 2022)

Fixes and Functionality:
- Fixed The timeoutErrorMessage property in config not work with Node.js ([#3581](https://github.com/axios/axios/pull/3581))
- Added errors to be displayed when the query parsing process itself fails ([#3961](https://github.com/axios/axios/pull/3961))
- Fix/remove url required ([#4426](https://github.com/axios/axios/pull/4426))
- Update follow-redirects dependency due to Vurnerbility ([#4462](https://github.com/axios/axios/pull/4462))
- Bump karma from 6.3.11 to 6.3.14 ([#4461](https://github.com/axios/axios/pull/4461))
- Bump follow-redirects from 1.14.7 to 1.14.8 ([#4473](https://github.com/axios/axios/pull/4473))

### 0.25.0 (January 18, 2022)

Breaking changes:
Expand Down
2 changes: 1 addition & 1 deletion bower.json
View file
@@ -1,7 +1,7 @@
{
"name": "axios",
"main": "./dist/axios.js",
"version": "0.25.0",
"version": "0.26.0",
"homepage": "https://axios-http.com",
"authors": [
"Matt Zabriskie"
Expand Down
28 changes: 14 additions & 14 deletions dist/axios.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/axios.map
View file

Large diffs are not rendered by default.

4 changes: 1 addition & 3 deletions dist/axios.min.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/axios.min.map
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion lib/env/data.js
View file
@@ -1,3 +1,3 @@
module.exports = {
"version": "0.25.0"
"version": "0.26.0"
};
4 changes: 2 additions & 2 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
@@ -1,6 +1,6 @@
{
"name": "axios",
"version": "0.25.0",
"version": "0.26.0",
"description": "Promise based HTTP client for the browser and node.js",
"main": "index.js",
"types": "index.d.ts",
Expand Down

6 comments on commit c9aca75

@DanielRuf
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoever wrote this CVE entry, it is totally wrong. It does not mention the vulnerable dependency (follow-redirects) or cookies at all.

Can someone please update the CVE entry to reflect that it is about cookies from redirects and generally in another dependency and not in axios itself?
Please try to understand how SemVer ranges and selectors work. Any project which consumes axios will automatically get the latest version of follow-redirects.

https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
https://nvd.nist.gov/vuln/detail/CVE-2022-1214

@jasonsaayman @JamieSlome

@JamieSlome
Copy link
Contributor

@JamieSlome JamieSlome commented on c9aca75 May 4, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DanielRuf - I think the best course of action here is to revoke the CVE given that the issue stems from a dependency, rather than the package itself. To the side of this, we will run an internal review to make sure that vulnerabilities of dependencies are not treated as vulnerabilities against a root project.

@jasonsaayman - before I proceed with this, I do want your input here as you are best placed to understand the issue.

EDIT: just on looking at the commit deeper, it doesn't make sense for a CVE to be assigned here, so will revoke it now 👍

@jasonsaayman
Copy link
Member Author

@jasonsaayman jasonsaayman commented on c9aca75 May 4, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JamieSlome @DanielRuf Ok cool I agree, in addition most redirect issues where a CVE is raised is almost 99% a follow redirects issue and should rather be raised over there :) thanks for the help

@JamieSlome
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DanielRuf @jasonsaayman: this has now been revoked and updated on the report page accordingly 👍

@robert-molecula
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DanielRuf If I understand correctly, the vulnerability is not an issue explicitly with Axios, but rather with the follow-redirects dependency that is called by Axios. If that is the case, is there a separate CVE or vulnerability attached to a follow-directs version?

@DanielRuf
Copy link

@DanielRuf DanielRuf commented on c9aca75 Jun 16, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, the vulnerability is not an issue explicitly with Axios, but rather with the follow-redirects dependency that is called by Axios.

Exactly, since the change is only in the lockfile.

If that is the case, is there a separate CVE or vulnerability attached to a follow-directs version?

See these links:
c5bdbd4 (commit / changes)
v0.25.0...v0.26.0 (changes between .25 and .26)
follow-redirects/follow-redirects@8b347cb (relevant change in follow-redirects)
follow-redirects/follow-redirects#183 (relevant issue)
https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/ (report)
https://nvd.nist.gov/vuln/detail/CVE-2022-0155 (CVE entry, CVE-2022-0155 - also links to GHSA-74fj-2j2h-c42q - mentioned / linked in previous links)

Does this answer your question @robert-molecula?

Please sign in to comment.