You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When installing dc-management-sdk-js via npm install, there is a high severity vulnerability reported.
Steps to Reproduce
There are of course many ways to do this, but from "scratch":
mkdir example
cd example/
npm init --yes
npm install dc-management-sdk-js --save
(You can also see there are even more vulnerabilities reported if you clone the actual repo:
git clone git@github.com:amplience/dc-management-sdk-js.git
cd dc-management-sdk-js
npm install
)
Expected Results
Install dependencies without any reported high severity vulnerabilities
Actual Results
npm WARN deprecated axios@0.18.1: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN example@1.0.0 No description
npm WARN example@1.0.0 No repository field.
+ dc-management-sdk-js@1.10.0
added 7 packages from 9 contributors and audited 7 packages in 0.868s
1 package is looking for funding
run `npm fund` for details
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
I would like to be able to use the management SDK in a project but because of policies around high priority vulnerabilities in NPM dependencies this is a lot more difficult.
The text was updated successfully, but these errors were encountered:
Reading the upstream issue (axios/axios#3369) I don’t believe we are impacted, this vulnerability is related to the Axios proxy feature, our SDK doesn't allow you to specify a proxy.
Are you able to supply a code example that demonstrates that we are directly impacted by this issue?
Regarding #29, any change to our SDK needs to be approved by our internal QA team before it can be released, so even though our unit tests pass, etc. it still requires an QA approval.
I cannot give any estimates to when this will be done at the current time.
So re: the Axios issue actually being relevant or not, I haven't checked and don't know (I would believe you that it is not!). The problem we're running into is that the greater "ecosystem" that we deploy into has various static code analysis tools / security checks and policies. These might happen at build or deploy time, and very likely done by a different team who doesn't have the capability to read through code to see if something is actually a vulnerability.
So hopefully that makes sense - it's more of a tooling issue, and it's not always something an individual developer / team can say "oh it's not actually an issue."
Description
When installing
dc-management-sdk-js
vianpm install
, there is a high severity vulnerability reported.Steps to Reproduce
There are of course many ways to do this, but from "scratch":
(You can also see there are even more vulnerabilities reported if you clone the actual repo:
)
Expected Results
Install dependencies without any reported high severity vulnerabilities
Actual Results
Affected browsers/environments
I believe anything using this package.
Versions
Other information
I would like to be able to use the management SDK in a project but because of policies around high priority vulnerabilities in NPM dependencies this is a lot more difficult.
The text was updated successfully, but these errors were encountered: