search

PruvoNet / squiss-ts

High-volume Amazon SQS Poller for Node.js
Apache License 2.0
48 stars 15 forks source link

iltorb still a dependency when installing #125

Closed chandern closed 2 years ago

chandern commented 2 years ago

Hi, I have a security tool that has flagged iltorb as a vulnerable dependency of squiss-ts. I'm using node version 14.19.3 and when I do an install I see iltorb being installed as dependency.

Expected Behavior

When installing squiss-ts as a package dependency I expected iltorb not to be a dependency when installing with node version > 10.16.0

Current Behavior

iltorb is being installed as a dependency even if installing squiss-ts with node version > 10.16.0 Running npm info squiss-ts --registry=https://registry.npmjs.org/ shows iltorb listed as a dependency

Possible Solution

I believe it may be because you are using node 6.x to build the app when you publish a new version to NPM https://github.com/PruvoNet/squiss-ts/blob/master/.github/workflows/ci.yml#L90

Your Environment

regevbr commented 2 years ago

@chandern v4.4.1 is released with a fix, can you please confirm it is solved?

chandern commented 2 years ago

I can confirm the issue is resolved. Thank you!