Open alexpArtos opened 6 years ago
alexpArtos
commented
6 years ago Does anyone out there have a similar problem? We would really like to use Doxity with our code, because it adds value to what we're doing, but we are wary of using it with a critical vulnerability around. Is anyone else also affected by this, or does anyone have a workaround?
Thank you.
alexpArtos
commented
6 years ago To add some context to this. Although my team would like to use Doxity for our development, we are probably not going to do it while those vulnerabilities persist, as one of them is critical. I've traced it down to growl 1.9.2 being requested by a chain of dependencies that leads ultimately to solidity-parser 0.3.0, which is requested by the truffle-compile fork inside doxity.
trufflesuite/truffle-compile is now deprecated, and has been migrated to trufflesuite/truffle, which no longer uses solidity-parser. I tried changing my package.json locally to request the latest mocha package, which will pick the most recent growl and remove the vulnerability, but that creates repeated versions of mocha and growl, keeping the vulnerability in.
Any advice on how to fix this? Thanks.
roynalnaruto
commented
6 years ago Hi @alexpArtos Please refer the doxity-latest branch
This will also work for truffle projects, with the latest version of solc (0.4.24).
As a guideline, please check how we have used doxity in this repository
Also please check my comment for steps on setting it up. Hope this helps
When I clone the Doxity repository on a Windows machine and run
npm install, I get this output: (Note: I modified the compile target in package.json to work in Windows)Could these references be updated in the repo?