Is grpc pulling in old dependencies? npm audit reporting an issue with an old version of y18n
See original GitHub issueProblem description
I started receiving an npm audit issue today, which is traced back to the grpc package:
$ yarn audit --groups dependencies
yarn audit v1.22.5
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β high β Prototype Pollution β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β y18n β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β graphql-server β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β graphql-server > grpc > protobufjs > yargs > y18n β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://www.npmjs.com/advisories/1654 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
yarn why
output confirms that the offending version is originating from grpc:
=> Found "grpc#y18n@3.2.1"
info Reasons this module exists
- "_project_#graphql-server#grpc#protobufjs#yargs" depends on it
- Hoisted from "_project_#graphql-server#grpc#protobufjs#yargs#y18n"
Is grpc pulling in an old version of a dependency?
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
How to fix npm dependency hell - Sylhare's blog
The easy fix is to use the npm audit fix which will look for updates that can be updated to fix those automatically....
Read more >Open Source Used In UBI SDWAN Reporting Dashboard 1.2
This document contains licenses and notices for open source software used in this product.
Read more >NPM Dependency errors? Then You're doing it wrong. - Medium
The answer is bad dependency tree management. This is a common problem within the NPM ecosystem which every developer faces. Libraries are changing...
Read more >newrelic/NEWS.md - UNPKG
When Infinite Tracing endpoints reconnected they would instantiate a new gRPC client prior to calling `client.recordSpan()`. It appears several objects createdΒ ...
Read more >RHSA-2021:2438 - Security Advisory - Red Hat Customer Portal
Topic. Red Hat OpenShift Container Platform release 4.8.2 is now ... secure access-token logging by default and delete old non-sha256 tokensΒ ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The deprecation is scheduled for late April.
The
grpc
package has been deprecated. We will not fix this.