New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade vulnerable dependencies #7486
Comments
We may remove mkdirp dependency, since Node.js 10.12.0 added recursive option to fs.mkdir. https://nodejs.org/api/fs.html#fs_fs_mkdir_path_options_callback |
How about removing One example of npm module that removed update-notifier. |
@exoego thanks for suggestion. Still it doesn't apply that much in Many developers use just global (or standalone) installation and naturally in such case they're not tracking new updates via some external means |
Ah, thats true. |
I have an enterprise installation of this for which |
Fixes serverless#7486 Bump update-notifier to the current version to resolve security alerts. However, don't load in Node.js 6 because the current version is only supported in Node.js 8 and above. The serverless package will still work in Node.js 6, but it will not alert people when an upgrade is available.
I can think of a few ways around this for Easiest option might be to bump There are other options, but I'd start with that one. I'll open a PR for that and see what happens with it. |
Well, the PR template has this:
So maybe I'll wait for a maintainer to comment..... |
Here's the change I'm suggesting: https://github.com/serverless/serverless/compare/master...Trott:update-notifier?expand=1 |
@Trott thanks for proposal. I think the right approach is simply to drop support for Node.js v6 & v8 and release a new major, I will discuss it internally, and hopefully by end of this month we will have that sorted out. |
Good news: dot-prop@4.2.1 has been published with the security fix. sindresorhus/dot-prop#63 (comment) |
Whether the automated tools that report the issue pick that fact up or not remains to be seen.... |
Before jumping on dot-prop@4.2.1 hastily, please double-check the integrity of the upstream. I see that the source repo on github has not been updated (see the commit history of https://github.com/sindresorhus/dot-prop where the latest 4.x tag is 4.2.0) yet there's a new version 4.2.1 posted at npmjs. I don't know how to account for this discrepancy but for a high-popularity repo like that with ~15M downloads weekly I'd like to know why it exists. (There is an apparent/incomplete transition in maintenance of that upstream repo, see discussion in their issue sindresorhus/dot-prop#63. What's published to npmjs came from a fork rather than a merged PR.) |
|
I'm glad to announce that we will release v2 next week. PR that upgrades vulnerable dependencies is welcome (I've updated main description)! |
We need to upgrade following dependencies.
boxen
(see update boxen and update-notifier #7226) (Addressed with build(dependency): upgrade to boxen@v4.2.0 #8163)update-notifier
(see update boxen and update-notifier #7226 and npm audit vulnerability from dot-prop #8008) (Addressed with Upgrade update-notifier to v4 #8182)mkdirp
(see Serverless Framework has a transitive HIGH NVD Vulnerability #7455) - Replace withfs-extra
'sensureDir
(Addressed with Drop mkdrip dependency #8183)Ideally each upgrade should be addressed with different PR.
PR's should be based against
v2
branchThe text was updated successfully, but these errors were encountered: