search

alexa-js / alexa-verifier-middleware

An express middleware that verifies HTTP requests sent to an Alexa skill are sent from Amazon.
MIT License
31 stars 6 forks source link

Update alexa-verifier version to update validator dependency as 3.0.2 still install low validator version #58

Closed Reni88 closed 9 months ago

Reni88 commented 9 months ago

image

tejashah88 commented 9 months ago

Can you add more context to this? Are you encountering a problem with this version of the "validator" module?

Reni88 commented 9 months ago

Yes. Basically, I'm using alexa-verifier-middleware package, but it's transitive dependency, validator 9.4.1 is vulnerable.

The first thing we did 1 month back is to upgrade package lock because it shows validator on 9.4.1. alexa-verifier 3.0.2 is the main dependency that installs it. Installing alexa-verifier separately, shows updated version of validator but installing it from alexa-verifier-middleware, it installed validator 9.4.1. Thus, 2.0.3, we updated package lock.

Now, as 2.0.3 is published for alexa-verifier-middleware, I installed it thru npmjs hoping validator already installed correctly,, but surprised to see it is still 9.4.1

I'm not sure if there's issue with the alexa-verifier version in alexa-verifier-middleware or there is another one which installed validator 9.4.1.

But yea, my goal is to have validator updated as how alexa-verifier installed it.. but through using alexa-verifier-middleware.

tejashah88 commented 9 months ago

@Reni88 We've just released v2.1.0, which internally uses alexa-verifier 4.0.0. Will that work better for your use case?

Reni88 commented 9 months ago

@tejashah88 Yes. I can confirm that works :) image

Thank you!