Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): upgrade @nestjs/axios to 3.0.1 #722

Closed

Conversation

UR-deR
Copy link

@UR-deR UR-deR commented Nov 18, 2023

update @nestjs/axios and other packages with incorrect peer dependency


fix #719

package.json Outdated
"@nrwl/node": "12.10.1",
"@nrwl/workspace": "12.10.1",
"@nrwl/workspace": "17.0.3",

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't recommended updating nx directly in the package.json. Shouldn't we use nx migrate (https://nx.dev/core-features/automate-updating-dependencies) as that usually does much more work than just updating dependencies.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry, I should have read nx's document and shouldn't include nx update in this PR.
I only updated something related to the issue

@UR-deR UR-deR force-pushed the axtx4869-feat/update-nestjs-axios branch from 8afad42 to 8d9cc25 Compare November 20, 2023 13:07
@UR-deR UR-deR requested a review from wvanderdeijl November 20, 2023 13:12
package.json Outdated
"@nuxtjs/opencollective": "0.3.2",
"axios": "1.6.0",
Copy link

@alexan alexan Nov 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do you set a specific axios version here? If you leave it out using projects can just set their own axios version in future.
If it needed for testing it should just be added to devDependencies like on @nestjs/axios then the axios version would no "bleed" to child projects

Copy link
Author

@UR-deR UR-deR Nov 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing can be done without it.
But if I remove axios, an warning occurs like below.

warning " > @nestjs/[email protected]" has unmet peer dependency "axios@^1.3.1"

Is it okay to ignore this or should I add axios to devDependencies?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as this is a library I would say this warning is okay as the consuming package should install its axios version

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, I removed axios from dependencies

@UR-deR UR-deR requested a review from alexan November 22, 2023 04:27
@UR-deR UR-deR force-pushed the axtx4869-feat/update-nestjs-axios branch from 8d9cc25 to ebf144e Compare November 22, 2023 10:14
@manan19
Copy link

manan19 commented Nov 22, 2023

Thanks for putting this together. Will it be released after this PR is merged? context GHSA-wf5p-g6vw-rhxx

@wing328
Copy link
Member

wing328 commented Nov 29, 2023

CI failed: https://github.com/OpenAPITools/openapi-generator-cli/actions/runs/6955846991/job/19127935712?pr=722

can you please take a look when you've time?

thanks again for the PR.

update @nestjs/axios and other packages with incorrect peer dependency
@UR-deR UR-deR force-pushed the axtx4869-feat/update-nestjs-axios branch from ebf144e to c4a74e9 Compare December 3, 2023 15:38
@UR-deR
Copy link
Author

UR-deR commented Dec 3, 2023

@wing328
I made some changes, could you rerun ci workflow?
Same error occurred on my local, but now it runs without failing.

@wing328
Copy link
Member

wing328 commented Dec 3, 2023

still some failed tests: https://github.com/OpenAPITools/openapi-generator-cli/actions/runs/7077821666/job/19262635518?pr=722

please take a look when you've time

@UR-deR UR-deR force-pushed the axtx4869-feat/update-nestjs-axios branch 2 times, most recently from 2b520c7 to 5627778 Compare December 4, 2023 16:01
@nestjs/[email protected] needs to be installed with axios
@UR-deR UR-deR force-pushed the axtx4869-feat/update-nestjs-axios branch from 5627778 to bcb89b5 Compare December 5, 2023 15:30
@UR-deR
Copy link
Author

UR-deR commented Dec 5, 2023

@wing328
Could you rerun workflow? I am not sure it will work well
thank you for your help

@wing328
Copy link
Member

wing328 commented Dec 7, 2023

Just reran the workflow. Let's see how that goes

@wing328
Copy link
Member

wing328 commented Dec 12, 2023

unfortunately the tests still failed:

Done in 9.16s.

> [email protected] oa
> openapi-generator-cli version

node:internal/modules/cjs/loader:1080
  throw err;
  ^

Error: Cannot find module 'axios'
Require stack:
- /home/runner/work/openapi-generator-cli/openapi-generator-cli/examples/node_modules/@nestjs/axios/dist/http.module.js
- /home/runner/work/openapi-generator-cli/openapi-generator-cli/examples/node_modules/@nestjs/axios/dist/index.js
- /home/runner/work/openapi-generator-cli/openapi-generator-cli/examples/node_modules/@nestjs/axios/index.js
- /home/runner/work/openapi-generator-cli/openapi-generator-cli/examples/node_modules/@openapitools/openapi-generator-cli/main.js
    at Module._resolveFilename (node:internal/modules/cjs/loader:1077:15)
    at Module._load (node:internal/modules/cjs/loader:922:27)
    at Module.require (node:internal/modules/cjs/loader:1[143](https://github.com/OpenAPITools/openapi-generator-cli/actions/runs/7102942856/job/19409541420?pr=722#step:5:144):19)
    at require (node:internal/modules/cjs/helpers:119:18)
    at Object.<anonymous> (/home/runner/work/openapi-generator-cli/openapi-generator-cli/examples/node_modules/@nestjs/axios/dist/http.module.js:16:33)
    at Module._compile (node:internal/modules/cjs/loader:1256:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1310:10)
    at Module.load (node:internal/modules/cjs/loader:1119:32)
    at Module._load (node:internal/modules/cjs/loader:960:12)
    at Module.require (node:internal/modules/cjs/loader:1143:19) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/home/runner/work/openapi-generator-cli/openapi-generator-cli/examples/node_modules/@nestjs/axios/dist/http.module.js',
    '/home/runner/work/openapi-generator-cli/openapi-generator-cli/examples/node_modules/@nestjs/axios/dist/index.js',
    '/home/runner/work/openapi-generator-cli/openapi-generator-cli/examples/node_modules/@nestjs/axios/index.js',
    '/home/runner/work/openapi-generator-cli/openapi-generator-cli/examples/node_modules/@openapitools/openapi-generator-cli/main.js'

@wing328 wing328 changed the base branch from master to axios-upgrade December 18, 2023 04:50
@wing328 wing328 changed the base branch from axios-upgrade to master December 18, 2023 04:50
@UR-deR UR-deR force-pushed the axtx4869-feat/update-nestjs-axios branch from 0327d79 to 6863baa Compare December 18, 2023 09:53
@UR-deR
Copy link
Author

UR-deR commented Dec 18, 2023

@wing328 Sorry for taking a while to fix ci failure.
I would like you to rerun the workflow

@UR-deR
Copy link
Author

UR-deR commented Dec 18, 2023

@wing328
Could you run workflow again🙏
I found a warning which may cause ci error and changed axios version specification

warning "/home/runner/work/openapi-generator-cli/openapi-generator-cli/package.tgz > @nestjs/[email protected]" has unmet peer dependency "axios@^1.3.1".

@wing328
Copy link
Member

wing328 commented Dec 19, 2023

done but the tests still failed with the same error message

@UR-deR UR-deR force-pushed the axtx4869-feat/update-nestjs-axios branch from e435eb0 to 83b72f9 Compare December 21, 2023 10:37
@UR-deR
Copy link
Author

UR-deR commented Dec 21, 2023

@wing328
I changed jest config like #719 (comment)
I wanna see how the workflow goes

@wing328
Copy link
Member

wing328 commented Dec 22, 2023

done but got the same error

@simonhammes
Copy link

I don't know a lot about NX, but this seems like a bug in NX related to the implicit dependency functionality.

axios was specified as a direct dependency as part of this PR, but it does not get added to the generated package.json, which causes the MODULE_NOT_FOUND errors in CI.

See https://github.com/OpenAPITools/openapi-generator-cli/actions/runs/7287055215/job/19881267299?pr=722#step:5:52

Maybe upgrading NX first would help? 🤷

Or is there a way to specify an explicit dependency with NX?

@wing328
Copy link
Member

wing328 commented Jan 3, 2024

@simonhammes thanks for the suggestion

@axtx4869 can you please also update NX as part of this PR?

(I saw the comment from @wvanderdeijl before)

@elmarbeckmann
Copy link
Contributor

Any updates on this issue? I see that NX (17.2.x) now has [email protected] as a dependency which fixes the vulnerability there.

@wing328
Copy link
Member

wing328 commented Jan 17, 2024

@elmarbeckmann do you mind filing a PR on top of this change with the NX upgraded to newer version?

@elmarbeckmann
Copy link
Contributor

elmarbeckmann commented Jan 17, 2024

@elmarbeckmann do you mind filing a PR on top of this change with the NX upgraded to newer version?

here you go, made a new PR. #730
dependencies were just a bit behind ;)

@wing328
Copy link
Member

wing328 commented Jan 18, 2024

closed via #730

@wing328 wing328 closed this Jan 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG] axios version lesser than 1.6.0 has Cross-Site Request Forgery vulnerability
7 participants