Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Some dependencies have pending vulnerability issues
See original GitHub issueDescribe the bug We currently depend on some vulnerable packages, including node-vault and plugin-warn-if-update-available.
To Reproduce Steps to reproduce the behavior:
Install the ctl using npm install -g @fonoster/ctl and see the vulnerability notice.
Expected behavior All vulnerable packages should be replaced/updated.
Additional context
I traced the issue to the now deprecated packages request and libnpm. If we find a suitable replacement for both of these libraries, fixing the issue should be straightforward.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Note to self:
Consider replacing
node-vaultwith https://www.npmjs.com/package/hashi-vault-js@BrayanMnz
You are correct those two packages do root. The challenge is that they are transitive dependencies which makes them a bit difficult to replace. The issue must be fixed at node-vault and plugin-warn-if-update-available..
The package node-vault has a PR to replace Request with Axios, but no action has been taken. At this point, I am inclined to fork both packages and fix the issue until the maintainers of those projects get up to date.