We are using the twilio library for a custom phone action, and that has a dependency on axios that recently has critical vulnerabilities.
We’d like to understand how actions resolves transient dependencies and whether they are locked in place at deployment time or updated automatically.
Currently if I create a new action with twilio@6.0.0 (the latest at this time), it will resolve axios@1.15.2 - the same as if I did an npm install locally. I’ve verified by checking the version of axios within the action:
const axios = require("axios");
exports.onExecutePostLogin = async (event, api) => {
console.log(axios.VERSION)
};
(interestingly the version is 1.2.6 which is 3 years old if you don’t add any dependencies, so that must be built in)
There’s some strange behavior if we try to add axios@1.15.2 explicitly as a dependency - it gets removed when you deploy (presumably because it matches the resolved transient dependency) - if you specify a different version of axios it isn’t removed.
What we’d like to know is if there’s a vulnerability found in axios@1.15.2, is that version locked in place until we do something to override the version? Is there a package lock behind the scenes that is generated at deploy time, or will newer versions of transient dependencies be picked up over time?