Some dependencies have pending vulnerability issues
See original GitHub issueDescribe the bug We currently depend on some vulnerable packages, including node-vault and plugin-warn-if-update-available.
To Reproduce Steps to reproduce the behavior:
Install the ctl using npm install -g @fonoster/ctl
and see the vulnerability notice.
Expected behavior All vulnerable packages should be replaced/updated.
Additional context
I traced the issue to the now deprecated packages request
and libnpm
. If we find a suitable replacement for both of these libraries, fixing the issue should be straightforward.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Fixing security vulnerabilities in npm dependencies in less ...
So a better solution here would be to only delete the lines corresponding to the vulnerable package in your package-lock.json(or yarn.lock) file. Run...
Read more >vulnerable dependency maven:org.yaml:snakeyaml
Unfortunately, Spring Boot 2.7.x still uses an older, vulnerable version of SnakeYAML (1.30). They still have not upgraded it to the last ...
Read more >Zombie Dependencies - Dan Lorenc - Medium
Dependency ghosts are mostly harmless artifacts from another time, floating around in the dependency graph haunting anyone that dares to look.
Read more >Vulnerability management in dependencies in CI / CD ... - BBVA
This post in 10 seconds. In this post we will address software dependency management: the security problems it implies, how to automate its ......
Read more >Security Feature Detail Page - CKAN
Scanning Code and Dependencies for Potential Security Issues. As CKAN software is located on GitHub repositories, there are some inbuilt Security features that ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Note to self:
Consider replacing
node-vault
with https://www.npmjs.com/package/hashi-vault-js@BrayanMnz
You are correct those two packages do root. The challenge is that they are transitive dependencies which makes them a bit difficult to replace. The issue must be fixed at node-vault and plugin-warn-if-update-available..
The package node-vault has a PR to replace Request with Axios, but no action has been taken. At this point, I am inclined to fork both packages and fix the issue until the maintainers of those projects get up to date.