Closed shtumi closed 2 months ago
saiharipriya
commented
2 months ago Hello
The SDK relies on specific packages with no flexibility to swap them out. I would recommend interact directly with our APIs instead. But please let me check with out engineers on it.
Thankyou.
shtumi
commented
2 months ago I must admit, I'm truly impressed by your response. Do you also suggest discontinuing the use of DocuSign altogether?
You've presented two solutions for PHP users dealing with DocuSign:
This doesn't align with the expectations of a reputable company...
This SDK is a crucial component of DocuSign's service. We've invested significant time integrating DocuSign's functionality using this SDK, and naturally, we expect DocuSign to uphold their responsibility by providing continued support and maintaining the library in optimal condition. It's worth mentioning that DocuSign is not a free service.
I firmly believe that dedicating some developer resources to avoiding the use of vulnerable and neglected dependencies in your SDK is essential.
saiharipriya
commented
2 months ago Hello I Apologise, If I misunderstood the case, please let me check with our engineers & get back to you.
saiharipriya
commented
2 months ago Hello,
Could you please provide which version of SDK Package is being used in your case?
Thanks Sai
garg-mudit
commented
2 months ago Hi @shtumi,
I'm a member of the Docusign DevX team and responsible for improving the developer experience with our SDK. I agree with your assessment that there's room for significant improvements in our current SDKs.
I recently looked into potential vulnerabilities in the latest version of the eSign PHP SDK, both direct and through transitive dependencies. I used composer audit --no-dev, which, as far as I understand, also checks for vulnerabilities via transitive dependencies. Here are the results:
Based on this assessment, I didn't find any vulnerabilities in the eSign package. Please feel free to correct me if I'm mistaken.
At the same time, I also want to acknowledge that there are abandoned transitive dependencies listed under require-dev. However, to the best of my knowledge, these dependencies don't impact or introduce any vulnerabilities to the eSign package.
Please don't hesitate to correct me if you think I'm mistaken, and I'm open to discussing potential solutions.
Thank You.
garg-mudit
commented
2 months ago This bundle requires "firebase/php-jwt", which requires "guzzlehttp/guzzle",
It seems you're confused between two similar packages: guzzlehttp/guzzle and guzzle/guzzle.
As you mentioned, the latest version of the SDK relies on firebase/php-jwt (version ^6.0.0), which in turn requires guzzlehttp/guzzle.
Notably, guzzle/guzzle is an abandoned package, replaced by guzzlehttp/guzzle.
Currently, the mentioned package (i.e. guzzle/guzzle) is only included in required-dev.
Based on this information and my last message, there doesn't seem to be a vulnerability within the eSign PHP SDK package. Please correct me if I'm mistaken. I'm here to assist with any further concerns.
Thank you.
shtumi
commented
2 months ago In my composer.json I just included this lib as:
"docusign/esign-client": "*",
which loads v6.19.0
Then composer automatically loads firebase/php-jwt of version v6.10.0 from your dependencies
which then requires "guzzlehttp/guzzle": "^6.5||^7.4",
Then when I run composer audit it displays
shtumi
commented
2 months ago It's weird, but if I add "guzzlehttp/guzzle": "7.8.1", to my composer.json, it solves the problem.
May be it is related to local cache.
This bundle requires "firebase/php-jwt", which requires "guzzlehttp/guzzle", The last one is abandoned and have 5 known vulnerabilities.