search

TritonDataCenter / node-docker-registry-client

node.js client for the docker registry
Mozilla Public License 2.0
64 stars 33 forks source link

Upgrade deps to resolve vulnerabilities #29

Closed rankida closed 5 years ago

rankida commented 5 years ago

I know I should log this using Gerrit, but I have read the user guide and it is still unclear how I (a non-Joyent engineer) do this.

I guess I will need to keep trying.

Before:

node-docker-registry-client   master  npm i
npm WARN deprecated tough-cookie@2.0.0: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130

added 108 packages from 128 contributors and audited 212 packages in 13.161s
found 6 vulnerabilities (2 low, 3 moderate, 1 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Now:

node-docker-registry-client   resolve-vulnerabilities  npm i
audited 177 packages in 1.992s
found 0 vulnerabilities
rankida commented 5 years ago

Fixes #29

twhiteman commented 5 years ago

Unfortunately we cannot accept this merge request, as it will cause some issues with the Triton software stack, notably:

  1. base64url version 2 and above requires node 6+, but the Triton stack (imgapi and docker parts) that uses this module are currently using node 4.

  2. restify-clients moving across major versions may create some incompatibilities between dependent Triton software

  3. restify-errors moving across major versions may create some incompatibilities between dependent Triton software

teppeis commented 5 years ago

@twhiteman How about tough-cookie? https://github.com/joyent/node-docker-registry-client/pull/14

twhiteman commented 5 years ago

Unfortunately not either (as our node dependencies are very old). Closed #14.

jValdron commented 2 years ago

Unfortunately not either (as our node dependencies are very old). Closed #14.

Is this still the case, 3 years later? Oldest supported version of NodeJS is currently 12. So in theory we should be able to update dependencies of this module.