Update dependency axios to v1.6.0 [SECURITY] (#23)

[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [axios](https://axios-http.com) ([source](https://togithub.com/axios/axios)) | [`1.5.0` -> `1.6.0`](https://renovatebot.com/diffs/npm/axios/1.5.0/1.6.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/axios/1.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/axios/1.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/axios/1.5.0/1.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/axios/1.5.0/1.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-45857](https://nvd.nist.gov/vuln/detail/CVE-2023-45857) An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. --- ### Release Notes <details> <summary>axios/axios (axios)</summary> ### [`v1.6.0`](https://togithub.com/axios/axios/blob/HEAD/CHANGELOG.md#160-2023-10-26) [Compare Source](https://togithub.com/axios/axios/compare/v1.5.1...v1.6.0) ##### Bug Fixes - **CSRF:** fixed CSRF vulnerability CVE-2023-45857 ([#6028](https://togithub.com/axios/axios/issues/6028)) ([96ee232](https://togithub.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0)) - **dns:** fixed lookup function decorator to work properly in node v20; ([#6011](https://togithub.com/axios/axios/issues/6011)) ([5aaff53](https://togithub.com/axios/axios/commit/5aaff532a6b820bb9ab6a8cd0f77131b47e2adb8)) - **types:** fix AxiosHeaders types; ([#5931](https://togithub.com/axios/axios/issues/5931)) ([a1c8ad0](https://togithub.com/axios/axios/commit/a1c8ad008b3c13d53e135bbd0862587fb9d3fc09)) ##### PRs - CVE 2023 45857 ( [#6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` ##### Contributors to this release - <img src="https://avatars.githubusercontent.com/u/12586868?v=4&s=18" alt="avatar" width="18"/> [Dmitriy Mozgovoy](https://togithub.com/DigitalBrainJS "+449/-114 (#6032 #6021 #6011 #5932 #5931 )") - <img src="https://avatars.githubusercontent.com/u/63700910?v=4&s=18" alt="avatar" width="18"/> [Valentin Panov](https://togithub.com/valentin-panov "+4/-4 (#6028 )") - <img src="https://avatars.githubusercontent.com/u/76877078?v=4&s=18" alt="avatar" width="18"/> [Rinku Chaudhari](https://togithub.com/therealrinku "+1/-1 (#5889 )") #### [1.5.1](https://togithub.com/axios/axios/compare/v1.5.0...v1.5.1) (2023-09-26) ##### Bug Fixes - **adapters:** improved adapters loading logic to have clear error messages; ([#5919](https://togithub.com/axios/axios/issues/5919)) ([e410779](https://togithub.com/axios/axios/commit/e4107797a7a1376f6209fbecfbbce73d3faa7859)) - **formdata:** fixed automatic addition of the `Content-Type` header for FormData in non-browser environments; ([#5917](https://togithub.com/axios/axios/issues/5917)) ([bc9af51](https://togithub.com/axios/axios/commit/bc9af51b1886d1b3529617702f2a21a6c0ed5d92)) - **headers:** allow `content-encoding` header to handle case-insensitive values ([#5890](https://togithub.com/axios/axios/issues/5890)) ([#5892](https://togithub.com/axios/axios/issues/5892)) ([4c89f25](https://togithub.com/axios/axios/commit/4c89f25196525e90a6e75eda9cb31ae0a2e18acd)) - **types:** removed duplicated code ([9e62056](https://togithub.com/axios/axios/commit/9e6205630e1c9cf863adf141c0edb9e6d8d4b149)) ##### Contributors to this release - <img src="https://avatars.githubusercontent.com/u/12586868?v=4&s=18" alt="avatar" width="18"/> [Dmitriy Mozgovoy](https://togithub.com/DigitalBrainJS "+89/-18 (#5919 #5917 )") - <img src="https://avatars.githubusercontent.com/u/110460234?v=4&s=18" alt="avatar" width="18"/> [David Dallas](https://togithub.com/DavidJDallas "+11/-5 ()") - <img src="https://avatars.githubusercontent.com/u/71556073?v=4&s=18" alt="avatar" width="18"/> [Sean Sattler](https://togithub.com/fb-sean "+2/-8 ()") - <img src="https://avatars.githubusercontent.com/u/4294069?v=4&s=18" alt="avatar" width="18"/> [Mustafa Ateş Uzun](https://togithub.com/0o001 "+4/-4 ()") - <img src="https://avatars.githubusercontent.com/u/132928043?v=4&s=18" alt="avatar" width="18"/> [Przemyslaw Motacki](https://togithub.com/sfc-gh-pmotacki "+2/-1 (#5892 )") - <img src="https://avatars.githubusercontent.com/u/5492927?v=4&s=18" alt="avatar" width="18"/> [Michael Di Prisco](https://togithub.com/Cadienvan "+1/-1 ()") ##### PRs - CVE 2023 45857 ( [#6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` ### [`v1.5.1`](https://togithub.com/axios/axios/blob/HEAD/CHANGELOG.md#151-2023-09-26) [Compare Source](https://togithub.com/axios/axios/compare/v1.5.0...v1.5.1) ##### Bug Fixes - **adapters:** improved adapters loading logic to have clear error messages; ([#5919](https://togithub.com/axios/axios/issues/5919)) ([e410779](https://togithub.com/axios/axios/commit/e4107797a7a1376f6209fbecfbbce73d3faa7859)) - **formdata:** fixed automatic addition of the `Content-Type` header for FormData in non-browser environments; ([#5917](https://togithub.com/axios/axios/issues/5917)) ([bc9af51](https://togithub.com/axios/axios/commit/bc9af51b1886d1b3529617702f2a21a6c0ed5d92)) - **headers:** allow `content-encoding` header to handle case-insensitive values ([#5890](https://togithub.com/axios/axios/issues/5890)) ([#5892](https://togithub.com/axios/axios/issues/5892)) ([4c89f25](https://togithub.com/axios/axios/commit/4c89f25196525e90a6e75eda9cb31ae0a2e18acd)) - **types:** removed duplicated code ([9e62056](https://togithub.com/axios/axios/commit/9e6205630e1c9cf863adf141c0edb9e6d8d4b149)) ##### Contributors to this release - <img src="https://avatars.githubusercontent.com/u/12586868?v=4&s=18" alt="avatar" width="18"/> [Dmitriy Mozgovoy](https://togithub.com/DigitalBrainJS "+89/-18 (#5919 #5917 )") - <img src="https://avatars.githubusercontent.com/u/110460234?v=4&s=18" alt="avatar" width="18"/> [David Dallas](https://togithub.com/DavidJDallas "+11/-5 ()") - <img src="https://avatars.githubusercontent.com/u/71556073?v=4&s=18" alt="avatar" width="18"/> [Sean Sattler](https://togithub.com/fb-sean "+2/-8 ()") - <img src="https://avatars.githubusercontent.com/u/4294069?v=4&s=18" alt="avatar" width="18"/> [Mustafa Ateş Uzun](https://togithub.com/0o001 "+4/-4 ()") - <img src="https://avatars.githubusercontent.com/u/132928043?v=4&s=18" alt="avatar" width="18"/> [Przemyslaw Motacki](https://togithub.com/sfc-gh-pmotacki "+2/-1 (#5892 )") - <img src="https://avatars.githubusercontent.com/u/5492927?v=4&s=18" alt="avatar" width="18"/> [Michael Di Prisco](https://togithub.com/Cadienvan "+1/-1 ()") </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/autoblocksai/neon-actions).  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Nicole White <[email protected]>
autoblocksai · Nov 22, 2023 · 23e862b · 23e862b
1 parent d69eb0d
commit 23e862b
Show file tree

Hide file tree

Showing 3 changed files with 146 additions and 74 deletions.
diff --git a/create-branch/zdist/index.js b/create-branch/zdist/index.js
@@ -9483,7 +9483,7 @@ module.exports = require("zlib");
 /***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
 
 "use strict";
-// Axios v1.5.0 Copyright (c) 2023 Matt Zabriskie and contributors
+// Axios v1.6.0 Copyright (c) 2023 Matt Zabriskie and contributors
 
 
 const FormData$1 = __nccwpck_require__(4334);
@@ -10868,7 +10868,7 @@ const defaults = {
 
   transitional: transitionalDefaults,
 
-  adapter: 'http' ,
+  adapter: ['xhr', 'http'],
 
   transformRequest: [function transformRequest(data, headers) {
     const contentType = headers.getContentType() || '';
@@ -11450,7 +11450,7 @@ function buildFullPath(baseURL, requestedURL) {
   return requestedURL;
 }
 
-const VERSION = "1.5.0";
+const VERSION = "1.6.0";
 
 function parseProtocol(url) {
   const match = /^([-+\w]{1,25})(:?\/\/|:)/.exec(url);
@@ -12054,6 +12054,18 @@ const wrapAsync = (asyncExecutor) => {
   })
 };
 
+const resolveFamily = ({address, family}) => {
+  if (!utils.isString(address)) {
+    throw TypeError('address must be a string');
+  }
+  return ({
+    address,
+    family: family || (address.indexOf('.') < 0 ? 6 : 4)
+  });
+};
+
+const buildAddressEntry = (address, family) => resolveFamily(utils.isObject(address) ? address : {address, family});
+
 /*eslint consistent-return:0*/
 const httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
   return wrapAsync(async function dispatchHttpRequest(resolve, reject, onDone) {
@@ -12064,15 +12076,16 @@ const httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
     let rejected = false;
     let req;
 
-    if (lookup && utils.isAsyncFn(lookup)) {
-      lookup = callbackify$1(lookup, (entry) => {
-        if(utils.isString(entry)) {
-          entry = [entry, entry.indexOf('.') < 0 ? 6 : 4];
-        } else if (!utils.isArray(entry)) {
-          throw new TypeError('lookup async function must return an array [ip: string, family: number]]')
-        }
-        return entry;
-      });
+    if (lookup) {
+      const _lookup = callbackify$1(lookup, (value) => utils.isArray(value) ? value : [value]);
+      // hotfix to support opt.all option which is required for node 20.x
+      lookup = (hostname, opt, cb) => {
+        _lookup(hostname, opt, (err, arg0, arg1) => {
+          const addresses = utils.isArray(arg0) ? arg0.map(addr => buildAddressEntry(addr)) : [buildAddressEntry(arg0, arg1)];
+
+          opt.all ? cb(err, addresses) : cb(err, addresses[0].address, addresses[0].family);
+        });
+      };
     }
 
     // temporary internal emitter until the AxiosRequest class will be implemented
@@ -12379,7 +12392,7 @@ const httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
           delete res.headers['content-encoding'];
         }
 
-        switch (res.headers['content-encoding']) {
+        switch ((res.headers['content-encoding'] || '').toLowerCase()) {
         /*eslint default-case:0*/
         case 'gzip':
         case 'x-gzip':
@@ -12475,7 +12488,7 @@ const httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
             }
             response.data = responseData;
           } catch (err) {
-            reject(AxiosError.from(err, null, config, response.request, response));
+            return reject(AxiosError.from(err, null, config, response.request, response));
           }
           settle(resolve, reject, response);
         });
@@ -12512,7 +12525,7 @@ const httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
       // This is forcing a int timeout to avoid problems if the `req` interface doesn't handle other types.
       const timeout = parseInt(config.timeout, 10);
 
-      if (isNaN(timeout)) {
+      if (Number.isNaN(timeout)) {
         reject(new AxiosError(
           'error trying to parse `config.timeout` to int',
           AxiosError.ERR_BAD_OPTION_VALUE,
@@ -12731,11 +12744,16 @@ const xhrAdapter = isXHRAdapterSupported && function (config) {
       }
     }
 
+    let contentType;
+
     if (utils.isFormData(requestData)) {
       if (platform.isStandardBrowserEnv || platform.isStandardBrowserWebWorkerEnv) {
         requestHeaders.setContentType(false); // Let the browser set it
-      } else {
-        requestHeaders.setContentType('multipart/form-data;', false); // mobile/desktop app frameworks
+      } else if(!requestHeaders.getContentType(/^\s*multipart\/form-data/)){
+        requestHeaders.setContentType('multipart/form-data'); // mobile/desktop app frameworks
+      } else if(utils.isString(contentType = requestHeaders.getContentType())){
+        // fix semicolon duplication issue for ReactNative FormData implementation
+        requestHeaders.setContentType(contentType.replace(/^\s*(multipart\/form-data);+/, '$1'));
       }
     }
 
@@ -12853,8 +12871,8 @@ const xhrAdapter = isXHRAdapterSupported && function (config) {
     // Specifically not if we're in a web worker, or react-native.
     if (platform.isStandardBrowserEnv) {
       // Add xsrf header
-      const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))
-        && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
+      // regarding CVE-2023-45857 config.withCredentials condition was removed temporarily
+      const xsrfValue = isURLSameOrigin(fullPath) && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
 
       if (xsrfValue) {
         requestHeaders.set(config.xsrfHeaderName, xsrfValue);
@@ -12928,7 +12946,7 @@ const knownAdapters = {
 };
 
 utils.forEach(knownAdapters, (fn, value) => {
-  if(fn) {
+  if (fn) {
     try {
       Object.defineProperty(fn, 'name', {value});
     } catch (e) {
@@ -12938,6 +12956,10 @@ utils.forEach(knownAdapters, (fn, value) => {
   }
 });
 
+const renderReason = (reason) => `- ${reason}`;
+
+const isResolvedHandle = (adapter) => utils.isFunction(adapter) || adapter === null || adapter === false;
+
 const adapters = {
   getAdapter: (adapters) => {
     adapters = utils.isArray(adapters) ? adapters : [adapters];
@@ -12946,30 +12968,44 @@ const adapters = {
     let nameOrAdapter;
     let adapter;
 
+    const rejectedReasons = {};
+
     for (let i = 0; i < length; i++) {
       nameOrAdapter = adapters[i];
-      if((adapter = utils.isString(nameOrAdapter) ? knownAdapters[nameOrAdapter.toLowerCase()] : nameOrAdapter)) {
+      let id;
+
+      adapter = nameOrAdapter;
+
+      if (!isResolvedHandle(nameOrAdapter)) {
+        adapter = knownAdapters[(id = String(nameOrAdapter)).toLowerCase()];
+
+        if (adapter === undefined) {
+          throw new AxiosError(`Unknown adapter '${id}'`);
+        }
+      }
+
+      if (adapter) {
         break;
       }
+
+      rejectedReasons[id || '#' + i] = adapter;
     }
 
     if (!adapter) {
-      if (adapter === false) {
-        throw new AxiosError(
-          `Adapter ${nameOrAdapter} is not supported by the environment`,
-          'ERR_NOT_SUPPORT'
+
+      const reasons = Object.entries(rejectedReasons)
+        .map(([id, state]) => `adapter ${id} ` +
+          (state === false ? 'is not supported by the environment' : 'is not available in the build')
         );
-      }
 
-      throw new Error(
-        utils.hasOwnProp(knownAdapters, nameOrAdapter) ?
-          `Adapter '${nameOrAdapter}' is not available in the build` :
-          `Unknown adapter '${nameOrAdapter}'`
-      );
-    }
+      let s = length ?
+        (reasons.length > 1 ? 'since :\n' + reasons.map(renderReason).join('\n') : ' ' + renderReason(reasons[0])) :
+        'as no adapter specified';
 
-    if (!utils.isFunction(adapter)) {
-      throw new TypeError('adapter is not a function');
+      throw new AxiosError(
+        `There is no suitable adapter to dispatch the request ` + s,
+        'ERR_NOT_SUPPORT'
+      );
     }
 
     return adapter;