Bump follow-redirects from 1.15.2 to 1.15.4 #557
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.2 to 1.15.4. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.2...v1.15.4) --- updated-dependencies: - dependency-name: follow-redirects dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
dependencies
|
@natelevinson10, take a look and see why the check fails and how we could fix that. This may be a bit too much in the weeds since you did not have a lot of time understanding the extension. But @jjeancharles can assist, and we can discuss here or in the chat any questions you may have. |
|
Related Dependabot alert. |
|
I’m not too sure how to get started with figuring out what caused the tests to fail, I looked at the error logs which indicate that Jest is failing to parse holdAPI.js on line 2, column 0. I don't see a holdAPI.js file in the repo, but I remember creating one and manually inputting the ipinfo.io API key into it. Any good idea of how to approach this failed check? |
|
@jjeancharles, do you have a suggestion? |
SebastianZimmeck
requested review from
JoeChampeau
and removed request for
jjeancharles
|
@JoeChampeau will also help looking into this, especially, for what are we using this library. As @danielgoldelman mentioned, it may be indirectly, i.e., we use a library that uses this library. Maybe, that needs updating. Maybe, we are also not using the library in the first place. In any case, some more digging would be good. |
|
The common issue among all these Dependabot PRs failing the checks seems to be that the command which generates an API token for testing relies on using a GitHub Actions secret that Dependabot doesn't have access to ( I'll do more research into the issue, but the key takeaways are 1. there are no issues with the updated dependency, so we're free to merge and 2. we might want to consider giving Dependabot access to the IP token, although there may or may not be vulnerabilities associated with that (there's a reason why the change was made). In any case, we always have recourse to simply recommitting like I did, which made me the author and, therefore, bypassed the issue with Dependabot's access perms. |
|
Great work, @JoeChampeau! |
|
Depending on how we fix that or not, maybe, write that up briefly in the Known Issues section of the readme. |
|
Alright, I've done a good amount of research on this issue, and there appears to be no clear consensus. Copying the IPinfo key to Dependabot's personal secrets registry (which is secured and encrypted like normal Actions secrets) suffers only from the possibility that a malicious update could be pushed to one of PP's dependencies which leverages Dependabot's access to the secret to steal it during the build tests for the automated PR. My assessment is as follows:
What do you think @SebastianZimmeck? |
|
OK, good points, @JoeChampeau! I'd say, let's go with the first option. We could disable the key quickly if worst comes to worst. |
|
Sounds good! I'm checking now and it looks like I don't have access to the Settings tab for this repo. I think it might be accessible only to you, @SebastianZimmeck. It should be a pretty straightforward process, though, you just have to navigate to |
|
OK, these are good instructions, @JoeChampeau. I did as you said. |
|
Great! Closing and merging for now, but we'll know for sure it's worked once the next Dependabot PR comes. |
dependabot
bot
deleted the
dependabot/npm_and_yarn/follow-redirects-1.15.4
branch
Bumps follow-redirects from 1.15.2 to 1.15.4.
Commits
6585820Release version 1.15.4 of the npm package.7a6567eDisallow bracketed hostnames.05629afPrefer native URL instead of deprecated url.parse.1cba8e8Prefer native URL instead of legacy url.resolve.72bc2a4Simplify _processResponse error handling.3d42aecAdd bracket tests.bcbb096Do not directly set Error properties.192dbe7Release version 1.15.3 of the npm package.bd8c81eFix resource leak on destroy.9c728c3Split linting and testing.You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.