From 5dc17a56f9b434e941c6be63c0b211437c983047 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 28 Oct 2023 02:36:24 +0000 Subject: [PATCH 1/4] fix: package.json & package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-6032459 --- package-lock.json | 46 +++++++++++++++++++++++++++++----------------- package.json | 2 +- 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/package-lock.json b/package-lock.json index 6d6f52a0c..2736fee6e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -20,7 +20,7 @@ "@sentry/tracing": "^6.19.7", "@snyk/code-client": "^4.12.4", "analytics-node": "^4.0.1", - "axios": "^0.27.2", + "axios": "^1.6.0", "glob": "^7.2.0", "he": "^1.2.0", "htmlparser2": "^7.2.0", @@ -2498,12 +2498,13 @@ } }, "node_modules/axios": { - "version": "0.27.2", - "resolved": "https://registry.npmjs.org/axios/-/axios-0.27.2.tgz", - "integrity": "sha512-t+yRIyySRTp/wua5xEr+z1q60QmLq8ABsS5O9Me1AsE5dfKqgnCFzwiCZZ/cGNd1lq4/7akDWMxdhVlucjmnOQ==", + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.0.tgz", + "integrity": "sha512-EZ1DYihju9pwVB+jg67ogm+Tmqc6JmhamRN6I4Zt8DfZu5lbcQGw3ozH9lFejSJgs/ibaef3A9PMXPLeefFGJg==", "dependencies": { - "follow-redirects": "^1.14.9", - "form-data": "^4.0.0" + "follow-redirects": "^1.15.0", + "form-data": "^4.0.0", + "proxy-from-env": "^1.1.0" } }, "node_modules/axios-retry": { @@ -4375,9 +4376,9 @@ "dev": true }, "node_modules/follow-redirects": { - "version": "1.14.9", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.9.tgz", - "integrity": "sha512-MQDfihBQYMcyy5dhRDJUHcw7lb2Pv/TuE6xP1vyraLukNDHKbDxDNaOE3NbCAdKQApno+GPRyo1YAp89yCjK4w==", + "version": "1.15.3", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.3.tgz", + "integrity": "sha512-1VzOtuEM8pC9SFU1E+8KfTjZyMztRsgEfwQl44z8A25uy13jSzTj6dyK2Df52iV0vgHCfBwLhDWevLn95w5v6Q==", "funding": [ { "type": "individual", @@ -6948,6 +6949,11 @@ "node": ">= 0.10" } }, + "node_modules/proxy-from-env": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", + "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==" + }, "node_modules/psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", @@ -10369,12 +10375,13 @@ "dev": true }, "axios": { - "version": "0.27.2", - "resolved": "https://registry.npmjs.org/axios/-/axios-0.27.2.tgz", - "integrity": "sha512-t+yRIyySRTp/wua5xEr+z1q60QmLq8ABsS5O9Me1AsE5dfKqgnCFzwiCZZ/cGNd1lq4/7akDWMxdhVlucjmnOQ==", + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.0.tgz", + "integrity": "sha512-EZ1DYihju9pwVB+jg67ogm+Tmqc6JmhamRN6I4Zt8DfZu5lbcQGw3ozH9lFejSJgs/ibaef3A9PMXPLeefFGJg==", "requires": { - "follow-redirects": "^1.14.9", - "form-data": "^4.0.0" + "follow-redirects": "^1.15.0", + "form-data": "^4.0.0", + "proxy-from-env": "^1.1.0" }, "dependencies": { "form-data": { @@ -11816,9 +11823,9 @@ "dev": true }, "follow-redirects": { - "version": "1.14.9", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.9.tgz", - "integrity": "sha512-MQDfihBQYMcyy5dhRDJUHcw7lb2Pv/TuE6xP1vyraLukNDHKbDxDNaOE3NbCAdKQApno+GPRyo1YAp89yCjK4w==" + "version": "1.15.3", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.3.tgz", + "integrity": "sha512-1VzOtuEM8pC9SFU1E+8KfTjZyMztRsgEfwQl44z8A25uy13jSzTj6dyK2Df52iV0vgHCfBwLhDWevLn95w5v6Q==" }, "form-data": { "version": "3.0.1", @@ -13731,6 +13738,11 @@ "ipaddr.js": "1.9.1" } }, + "proxy-from-env": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", + "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==" + }, "psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", diff --git a/package.json b/package.json index 29f70e09e..fe7613b1a 100644 --- a/package.json +++ b/package.json @@ -440,7 +440,7 @@ "@sentry/tracing": "^6.19.7", "@snyk/code-client": "^4.12.4", "analytics-node": "^4.0.1", - "axios": "^0.27.2", + "axios": "^1.6.0", "glob": "^7.2.0", "he": "^1.2.0", "htmlparser2": "^7.2.0", From 37c69cc9864d388821a6bfefb6decbbf8ee7f6e7 Mon Sep 17 00:00:00 2001 From: Catalina Oyaneder Date: Fri, 1 Dec 2023 13:44:45 +0000 Subject: [PATCH 2/4] chore: fix misspelling --- package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index fe7613b1a..bf0cae221 100644 --- a/package.json +++ b/package.json @@ -63,21 +63,21 @@ "scope": "application" }, "snyk.yesTelemetry": { - "//": "Name starts with y to put it at the end, as configs are sorted alphbetically", + "//": "Name starts with y to put it at the end, as configs are sorted alphabetically", "type": "boolean", "default": true, "markdownDescription": "Send usage statistics to Snyk", "scope": "application" }, "snyk.yesWelcomeNotification": { - "//": "Name starts with y to put it at the end, as configs are sorted alphbetically", + "//": "Name starts with y to put it at the end, as configs are sorted alphabetically", "type": "boolean", "default": true, "markdownDescription": "Show welcome notification after installation and restart", "scope": "application" }, "snyk.yesBackgroundOssNotification": { - "//": "Name starts with y to put it at the end, as configs are sorted alphbetically", + "//": "Name starts with y to put it at the end, as configs are sorted alphabetically", "type": "boolean", "default": true, "markdownDescription": "Show scan notification for critical Open Source Security vulnerabilities when Snyk view is hidden", From c6cb40c1397635af75b70b378234c1be8288b59c Mon Sep 17 00:00:00 2001 From: Catalina Oyaneder Date: Fri, 1 Dec 2023 13:45:14 +0000 Subject: [PATCH 3/4] chore: update imports order due to lint --- src/snyk/common/languageServer/staticLsApi.ts | 10 +++++----- src/snyk/common/proxy.ts | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/snyk/common/languageServer/staticLsApi.ts b/src/snyk/common/languageServer/staticLsApi.ts index 70d08b30d..40600c0a0 100644 --- a/src/snyk/common/languageServer/staticLsApi.ts +++ b/src/snyk/common/languageServer/staticLsApi.ts @@ -1,12 +1,12 @@ import axios, { CancelTokenSource } from 'axios'; +import { IConfiguration } from '../configuration/configuration'; import { PROTOCOL_VERSION } from '../constants/languageServer'; -import { LsExecutable } from './lsExecutable'; -import { LsSupportedPlatform } from './supportedPlatforms'; -import { getAxiosConfig } from '../proxy'; -import { IVSCodeWorkspace } from '../vscode/workspace'; import { DownloadAxiosResponse } from '../download/downloader'; -import { IConfiguration } from '../configuration/configuration'; import { ILog } from '../logger/interfaces'; +import { getAxiosConfig } from '../proxy'; +import { IVSCodeWorkspace } from '../vscode/workspace'; +import { LsExecutable } from './lsExecutable'; +import { LsSupportedPlatform } from './supportedPlatforms'; export type LsMetadata = { tag: string; diff --git a/src/snyk/common/proxy.ts b/src/snyk/common/proxy.ts index 1d54078f7..7ae4f5cf0 100644 --- a/src/snyk/common/proxy.ts +++ b/src/snyk/common/proxy.ts @@ -3,9 +3,9 @@ import fs from 'fs/promises'; import { Agent, AgentOptions, globalAgent } from 'https'; import { HttpsProxyAgent, HttpsProxyAgentOptions } from 'https-proxy-agent'; import * as url from 'url'; -import { IVSCodeWorkspace } from './vscode/workspace'; import { IConfiguration } from './configuration/configuration'; import { ILog } from './logger/interfaces'; +import { IVSCodeWorkspace } from './vscode/workspace'; export async function getHttpsProxyAgent( workspace: IVSCodeWorkspace, From 9fc9cdae66d320b4faf786cb84d402614a3cbf03 Mon Sep 17 00:00:00 2001 From: Catalina Oyaneder Date: Fri, 1 Dec 2023 13:50:34 +0000 Subject: [PATCH 4/4] fix: set `Authorization` instead of overriding headers This change ensures compatibility with Axios 1.x's AxiosRequestHeaders type and resolves TypeScript type mismatch issues. --- src/snyk/advisor/services/advisorApiClient.ts | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/snyk/advisor/services/advisorApiClient.ts b/src/snyk/advisor/services/advisorApiClient.ts index 9e3e13236..9a068857d 100644 --- a/src/snyk/advisor/services/advisorApiClient.ts +++ b/src/snyk/advisor/services/advisorApiClient.ts @@ -47,11 +47,7 @@ export class AdvisorApiClient implements IAdvisorApiClient { const token = await this.configuration.getToken(); this.http.interceptors.request.use(req => { req.baseURL = this.configuration.baseApiUrl; - req.headers = { - ...req.headers, - Authorization: `token ${token}`, - } as { [header: string]: string }; - + req.headers['Authorization'] = `token ${token}`; return req; }); return this.http.post(url, data, config);