How does Action dependency resolution work?

Dev to Dev Hub
,
1

We are using the twilio library for a custom phone action, and that has a dependency on axios that recently has critical vulnerabilities.

We’d like to understand how actions resolves transient dependencies and whether they are locked in place at deployment time or updated automatically.

Currently if I create a new action with twilio@6.0.0 (the latest at this time), it will resolve axios@1.15.2 - the same as if I did an npm install locally. I’ve verified by checking the version of axios within the action:

const axios = require("axios");
exports.onExecutePostLogin = async (event, api) => {
  console.log(axios.VERSION)
};

(interestingly the version is 1.2.6 which is 3 years old if you don’t add any dependencies, so that must be built in)

There’s some strange behavior if we try to add axios@1.15.2 explicitly as a dependency - it gets removed when you deploy (presumably because it matches the resolved transient dependency) - if you specify a different version of axios it isn’t removed.

What we’d like to know is if there’s a vulnerability found in axios@1.15.2, is that version locked in place until we do something to override the version? Is there a package lock behind the scenes that is generated at deploy time, or will newer versions of transient dependencies be picked up over time?

2

Hi @amay

Welcome to the Auth0 Community!

Transient dependencies are locked in place at deployment time and are never updated automatically.

When you click “Deploy,” Auth0 bundles your code and resolves the dependencies into an immutable artifact. If a vulnerability is discovered in axios@1.15.2 tomorrow, your deployed Action will continue using 1.15.2 safely and predictably until you manually intervene and trigger a new deployment.

If a critical CVE is announced for axios@1.15.2 , but Twilio has not yet released twilio@6.0.1 to fix it, here is how you force the patch:

  1. Go into your Action’s Dependencies list.
  2. Explicitly add the newly secured version of the transient dependency
  3. Because 1.15.3 is different from the version Twilio naturally resolves, Auth0’s optimizer will keep your explicit declaration and force twilio to use 1.15.3 within the bundled artifact.
  4. Once Twilio officially updates their top-level package to include the fix, you can bump your twilio version and safely remove your explicit axios override.

Kind Regards,
Nik

1 Like