EricThompson-PeopleReign
commented
2 years ago It would be great to get this merged in. There are Vulnerabilities in this package that can be remediated by this.
Open rodmatos opened 2 years ago
EricThompson-PeopleReign
commented
2 years ago It would be great to get this merged in. There are Vulnerabilities in this package that can be remediated by this.
rodmatos
commented
1 year ago @EricThompson-PeopleReign: I haven't been able to get an answer from the maintainer, so I wouldn't be too hopeful.
wzrdtales
commented
1 year ago this merge request doesn't attempt to upgrade the version. also we will need to add gitlab actions to the repo now that travis non free. I also don't have an environment with MongoDB right now to do manual testing in case
rodmatos
commented
1 year ago @wzrdtales: I am aware of that. I am happy to contribute with the upgrade but the whole CI needs a revamp since it is using an outdated toolchain.
wzrdtales
commented
1 year ago which toolchain you talk about, if you mean vows, not really worth the effort in time, but feel free to replace it with what the other projects already use, hapi lab.
EricThompson-PeopleReign
commented
1 year ago I think moving away from vows would be a good idea. It also brings in some vulnerability issues unless it can be upgraded to 0.8.3, but apparently tests break if we do.
wzrdtales
commented
1 year ago vulnerabilities in dev dependencies don't matter much usually, they don't end up in the end product. Also you will need to learn to distinguish vulnerabilities. As a piece of advice, don't make everything an elephant.
We're talking about CVE of type ReDoS vulnerability, there couldn't be anything less relevant, in a dev dependency. If it is a RCE ok, that is also dangerous over there, even though not actually relevant in most case, since there has to be an actor to exploit which is very unlikely unless you're very specifically targeted by hackers.
Since this project is running on a old mongodb driver version, we should update it. Will address issue #51