chriswk
commented
5 months ago Hi.
So for security reports, where are you getting your reports? We run regular (daily) scans on our repos and we see no reports on these libraries.
I see from your self-reporting that you're using Unleash 4.20.1 which is more than 15 months old, 6.0.4 is the current, most up-to-date version of Unleash.
To address your specifically listed versions: express 4.19.2 - most recent version of express, not getting replaced/removed, but will be kept up to date es5-ext 0.10.64 - Most recent version of es5-ext. Used by memoizee, event-emitter so not getting removed inflight 1.0.6 - Transitive dependency of glob, which is used by jest, and our make-fetch-happen (http client) multer 1.4.5-lts1 - Handling multi-part uploads. We found that we aren't using it, so might very well be removed with 6.1.0 (due end of July) revslidator - Couldn't find this in either our server, nor our frontend dependency tree.
sagarvilas
Describe the bug
Hi unleash developers, There are multiple libraries with critical security vulnerabilities in them. I would like to know if you plan to upgrade/replace those libraries. Below is a list of few of them. express 4.19.2 es5-ext 0.10.64 inflight 1.0.6 multer 1.4.5-lts.1 revslidator 0.3.1
Steps to reproduce the bug
No response
Expected behavior
No response
Logs, error output, etc.
No response
Screenshots
No response
Additional context
No response
Unleash version
4.20.1
Subscription type
Open source
Hosting type
Self-hosted
SDK information (language and version)
No response