Dependencies have known vulnerabilities #727
Comments
|
Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request. |
|
@trevordixon hey, thanks for opening the issue. We rely on dependabot across the whole org, and I just checked that it was disabled in this repo. I don't know why, but anyway, just enabled it. We definitely want to have CLI always up to date with patches to solve quickly any vulnerability issues. feel free to also open a PR for specific patches that you need in place |
|
dependabot started kicking in -> https://github.com/asyncapi/cli/pulls?q=is%3Apr+author%3Aapp%2Fdependabot 💪🏼 I guess I can close this issue? |
|
@derberg I think the most critical vulnerability is still present in the vm2 dependency, indirectly included via spectral-cli. Upgrading spectral-cli from 6.6.0 to 6.9.0 should resolve that one though. I started with a PR patching this but a bunch of tests failed and I need to find the time to understand and resolve the failures. If you get a chance to look at it before me that would be very much appreciated 😄 |
|
@mattias-persson even if tests are failing, please open a PR so I can have a look, maybe will have some hints |
|
This issue has been automatically marked as stale because it has not had recent activity 😴 It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation. There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model. Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here. Thank you for your patience ❤️ |
|
There are still many vulnerabilities. These can be fixed by an audit with version regressions (0.8.1). But this in turn causes other problems. When using the asyncapi cli, errors are thrown that modules cannot be found ([MODULE_NOT_FOUND] Error Plugin: @asyncapi/cli: Cannot find module '@oclif/plugin-help/lib/command') |
|
still relevant |
|
@KristinaB162 The highest severity issues are present in the dependencies we don't have control over: |
|
Still the high vulnerability from Totally 14 vulnerabilities (12 moderate, 2 high) |
|
This issue has been automatically marked as stale because it has not had recent activity 😴 It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation. There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model. Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here. Thank you for your patience ❤️ |
@asyncapi/cli is the only dependency in our project that depends on packages with vulnerabilities according to npm audit. Is upgrading to rely only on patched versions of dependencies a goal of the project, or should we assess the risk of individual vulnerabilities on our own and find a way to ignore vulnerabilities whose risk we deem acceptable?
The text was updated successfully, but these errors were encountered: