lukeocodes
commented
1 month ago Wow, thanks. I'll review this first thing and get a patch out
We have a draft PR for removing that websocket library, should be released as 3.4.x this week
Closed lox closed 1 month ago
lukeocodes
commented
1 month ago Wow, thanks. I'll review this first thing and get a patch out
We have a draft PR for removing that websocket library, should be released as 3.4.x this week
lukeocodes
commented
1 month ago release for this and another vuln just pushed out
What is the current behavior?
Currently due to
websockethaving a dependency ones5-extthe deepgram package is causing failures in builds that rely on socket.dev and snyk for dependency scanning.The issues is that es5-ext publishes protest banners. I have zero interest in the politics, but from my perspective it's a breach of trust that makes it a supply chain risk.
Steps to reproduce
Run a build with socket.dev.
See https://socket.dev/npm/package/@deepgram/sdk
Expected behavior
No critical errors.
Fixes
This can be resolved by adding this to your package.json: