New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm audit vulnerability from dot-prop #8008
Comments
Duplicate of #7486 |
Are you implying that dot-prop dependency vulnerability won't be fixed until v2 release? |
@joshuanapoli we cannot upgrade |
Ok, I understand. Something to consider: the wide range of dependencies in the serverless package are giving users quite a bit of cost for features that I'm not using. For example, sub-dependency vulnerabilities in utils-china and update-notifier cause concern and burden even though I don't use these. I'd rather see these included through plugin/preset style system, so that I can remove the features. |
@joshuanapoli that's a valid point and we're aware of that. It's unfortunate problem that comes from monolithic nature of Serverless Framework. It's one of the reasons we're revisiting that approach with Serverless Components, where each cloud functionality is covered by different component. |
Running npm audit mentions a vulnerability with a sub-dependency:
dot-prop
.N/A
npm i --package-lock-only && npm audit
outputInstalled version
N/A
The text was updated successfully, but these errors were encountered: