Open alinkedd opened 6 months ago
Also it's advisable to add free Snyk for monitoring as all vulnerabilities of public projects are always shown on Snyk without the repo maintainer consent https://snyk.io/test/github/diia-open-source/be-auth-service
Hi @alinkedd If updating the dependency doesn't cause further problems, we'd love to see your request pull implementing this task.
@DiiaOpenSource
There are several ways to work around unmaintained dependencies with unresponsive authors - from temporarily overriding vulnerable internal dependencies to rewriting the code. Personally, I would prefer to directly fork
repositories here (which I cannot do myself without proper access rights) and patch them if no obvious alternative package is available. This approach ensures complete control over the packages and removes the urgency to drastically change the existing codebase.
Unfortunately, in the Diia ecosystem, I have no authority to implement these changes as it requires additional agreement at the system level. Not to mention, as of now, I cannot properly set it up, test it and guarantee the results for the rest of closed system. Therefore, I will unassign this issue from myself.
Ideally, I suggest you should consult your internal technical community (developers, leads, etc.) to find and implement the right solution.
monobank-api-client
andotplib
may be the latest version, but they have not received an update in a while and may be considered unmaintained. They should be forked for internal use and patched ASAP