Allow patched Axios 1.x releases#200
Open
kangkona wants to merge 1 commit into
Open
Conversation
The existing tilde range traps clean installs on Axios 1.13.x even though current advisories are fixed in 1.16.0 and later. Raise the security floor and allow compatible 1.x minor releases so consumers can receive present and future fixes without overrides. Constraint: Current Axios advisories require 1.16.0 or newer Rejected: Pin Axios 1.18.1 exactly | would block compatible future security releases Confidence: high Scope-risk: narrow Reversibility: clean Directive: Keep the Axios minimum at or above the latest reviewed advisory floor Tested: yarn build; 46 suites and 450 tests; yarn check --integrity; npm pack --dry-run; Axios-filtered yarn audit Not-tested: Live Lark API request because no upstream test credentials are available Related: larksuite#199
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
~1.13.3to^1.16.0yarn.lock, resolving the tested tree to Axios1.18.1Why
The tilde range keeps consumers on Axios 1.13.x and prevents package managers from selecting current patched 1.x minors. The current Axios advisories reported against the locked version have a highest patched-version floor of
>=1.16.0. Using a caret range preserves that security floor while allowing future compatible 1.x security releases.This changes no SDK API. A fresh install resolves Axios 1.18.1 and its updated transitive dependencies.
Closes #199.
Validation
yarn build— passed; Rollup emitted project-wide TypeScript/unresolved-dependency warnings unrelated to this two-file dependency diffyarn test --runInBand— 46 suites and 450 tests passedyarn check --integrity— passednpm pack --dry-run— passed for@larksuiteoapi/node-sdk@1.71.0yarn audit— 0 advisories after the updateThe full repository audit still reports findings in other dependencies (including protobufjs and ws). Those are intentionally outside this narrowly scoped Axios remediation.