ALRubinger
commented
1 year ago Confirmed exists in most recent version: npm install @tbd54566975/web5; may or may not be present in the latest PR that the OSE team is reviewing?
Closed ALRubinger closed 1 year ago
ALRubinger
commented
1 year ago Confirmed exists in most recent version: npm install @tbd54566975/web5; may or may not be present in the latest PR that the OSE team is reviewing?
frankhinek
commented
1 year ago There are currently 4 vulnerabilities reported when installing the latest PR version of Web5 JS. They all come from @decentralized-identity/ion-tools which depends on the ion-pow-sdk package which is still using cross-fetch 3.1.2
@csuwildcat Can we get ion-pow-sdk updated to use the 3.1.5 version of cross-fetch?
csuwildcat
commented
1 year ago Yes, I can do that
frankhinek
commented
1 year ago Thanks @csuwildcat for the quick turnaround. ion-tools version bumped in v0.6.0 release.
npm install
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
added 629 packages, and audited 630 packages in 13s
89 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilitiesAppreciate ya, gents!
Are we exposing vulnerabilities in the dependency tree? Can these be removed through upgrades? Or safely ignored?
Please advise; users will see this when installing and it's best to have a clear
npm installcommand to avoid security holes (or at least, confusion).Docs issue to resolve once this is closed: https://github.com/TBD54566975/developer.tbd.website/issues/418