Closed therealklanni closed 8 years ago
@therealklanni - i think the order of fixing is: request, bitgo, and then vault. since it wouldn't be optimal to merge a PR that breaks travis(!!), let me do some forking and testing, etc., and then talk to the repo owners... updates soon!
Yep, absolutely don't want this merged yet until resolved! :+1:
I already posted an issue on BitGo's repo. And request already has an issue open.
thanks. i am working my way down the dependencies now...
Since you pulled me in (and yep, hawk is fixed), I've been part of the team building https://snyk.io which gives you similar vuln reporting (and can/should be used as part of your CI) but also has guided remediation via updates and hosted patches. I'd definitely recommend checking it out.
Oh. I should add, there's also the ability to create a policy file via the guided remediation, so if there's vulns you need to ignore for any specific reason, that is taken into account when you run snyk test
in your project.
keeping the issue -- https://github.com/brave/vault/tree/issue-41 -- but not using this fix!
to re-iterate from https://github.com/brave/vault-client/pull/6
Should not be merged until the following issues are resolved
Unfortunately, I don't recommend adding an exception for any of these packages. We should try to find a solution. The best course of action is probably to notify the maintainers (that aren't already aware).
Tracking issues: BitGo #20 chain-node #27 request #2020
Closes #45