atom / node-keytar

Native Password Node Module
https://atom.github.io/node-keytar
MIT License
1.37k stars 193 forks source link

Upgrade dependencies' major versions #438

Closed BHANU2705 closed 2 years ago

BHANU2705 commented 2 years ago

Prerequisites

Description

The dependencies (node-addon-api & prebuild-install) have got their major version upgrades. The current version are as follows:

These two dependencies bring many transitive dependencies which have security vulnerabilities and Whiesource keeps reporting them and the consumers are unable to fix it properly.

Hence, requesting you to upgrade the keytar's dependencies' major version and release a new version of keytar - so that many of the security vulnerabilities get fixed.

robertpatrick commented 2 years ago

Upgrading to the latest prebuild-install (7.0.1 as of today) will pull in the version of simple-get containing the fix for CVE-2022-0355.

aruniverse commented 2 years ago

Also, shouldn't prebuild-install be a dev dep?

sergiou87 commented 2 years ago

All those dependencies have been upgraded. I'll test this tomorrow with GitHub Desktop and make a release if everything goes well. Sorry for the delay! /cc @joaomoreno

aruniverse commented 2 years ago

Also, shouldn't prebuild-install be a dev dep?

@sergiou87 thoughts on this? Only being used to install prior to building

sergiou87 commented 2 years ago

@aruniverse check this https://github.com/atom/node-keytar/pull/443#issuecomment-1026812194

I actually did that initially, but it needs to be a runtime dep so it pulls all prebuilt binaries when node-keytar is added as a dependency by other projects 😅

aruniverse commented 2 years ago

I actually did that initially, but it needs to be a runtime dep so it pulls all prebuilt binaries when node-keytar is added as a dependency by other projects 😅

Ah sorry, didnt look at the thread, just the diff. Should it then be a peer dep? @sergiou87

joaomoreno commented 2 years ago

All those dependencies have been upgraded. I'll test this tomorrow with GitHub Desktop and make a release if everything goes well. Sorry for the delay! /cc @joaomoreno

Fantastic, thanks! I'll update the dependencies to keytar upstream, once you release a new version.