Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

chore: update dependency #285

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore: update dependency #285

wants to merge 1 commit into from

Conversation

jannyHou
Copy link

@jannyHou jannyHou commented Jan 15, 2020

Update the dependencies:

Solution is from ppproxy@1ab25b6

The vulnerability package path is:
loopback-component-storage@3.6.3 › pkgcloud@2.2.0 › liboneandone@1.2.0 › mocha@2.5.3 › growl@1.9.2

While liboneandone is not maintained anymore, more discussion see pkgcloud/pkgcloud#644, pkgcloud/pkgcloud#675, pkgcloud/pkgcloud#671

@jannyHou
Copy link
Author

Should fix the vulnerability, see the installation message:

jannyHous-MacBook-Pro:loopback-component-storage jannyhou$ npm i
npm WARN deprecated superagent@3.8.3: Please note that v5.0.1+ of superagent removes User-Agent header by default, therefore you may need to add it yourself (e.g. GitHub blocks requests without a User-Agent header).  This notice will go away with v5.0.2+ once it is released.

> ejs@2.7.4 postinstall /Users/jannyhou/Desktop/2019/snyk/loopback-component-storage/node_modules/ejs
> node ./postinstall.js

Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)

npm WARN eslint-plugin-mocha@4.12.1 requires a peer of eslint@^2.0.0 || ^3.0.0 || ^4.0.0 but none is installed. You must install peer dependencies yourself.

added 455 packages from 855 contributors and audited 2594 packages in 34.911s
found 0 vulnerabilities

@jannyHou
Copy link
Author

Chatted with @raymondfeng , the best solution would be a new release of https://github.com/1and1/oneandone-cloudserver-sdk-nodejs

I contacted the author in 1and1/oneandone-cloudserver-sdk-nodejs#21 (comment), will wait and see if we can use the new release.

@hectorleiva
Copy link

Hey all, I really appreciate all the work that has gone into this package to make Strongloop/Loopback a viable framework.

I'm hoping that this can be merged in sometime soon as I continue to get critical and high warnings via npm audit when it seems like this branch resolves these warnings.

Again, I appreciate all the work! Thanks in advance.

@pbalan
Copy link

pbalan commented Mar 4, 2020

Waiting for this update too.

@raymondfeng
Copy link
Member

To those who are concerned, we did the analysis and concluded that the reported vulnerability was transitively from an older version of mocha. No runtime code uses that dependency and it's safe even though a warning is issued by npm audit.

We understand the alerts are annoying. We have tried to get it fixed by upstream modules but no success so far. It's a bit frustrating. We'll see if we have to fork the offending modules and release them under new names.

@pbalan
Copy link

pbalan commented Mar 12, 2020

@raymondfeng I'd like some help with #237 Not sure if I should open a new one.

@mjaime29
Copy link

mjaime29 commented Apr 6, 2020

Hey all, I really appreciate all the work, Waiting for this update too.

@stale
Copy link

stale bot commented Jun 5, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 5, 2020
@KevLehman
Copy link

Is there any update on this? I know that the dependency is not being used, but, the critical thing is very annoying.

@stale stale bot removed the stale label Jun 18, 2020
@stale
Copy link

stale bot commented Aug 22, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Aug 22, 2020
@mjaime29
Copy link

Is there any update on this?

@stale stale bot removed the stale label Aug 24, 2020
@PowerICT
Copy link

Any update on this issue?

@lewie6
Copy link

lewie6 commented May 19, 2021

Hey, any update on this issue?

@Gayathri-Nadimpalli
Copy link

Is there any update on this story?

@dhmlau
Copy link
Member

dhmlau commented May 19, 2021

Just checked the comment @jannyHou posted above: 1and1/oneandone-cloudserver-sdk-nodejs#21 (comment), there's no progress from there.

In the meanwhile, please take a look at @raymondfeng's comment:

No runtime code uses that dependency and it's safe even though a warning is issued by npm audit.

@stale
Copy link

stale bot commented Jul 21, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jul 21, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.