search

elsa-workflows / elsa-core

A .NET workflows library
https://v3.elsaworkflows.io/
MIT License
6.25k stars 1.14k forks source link

Found transitive dependency 'Commander' package version as outdated #3888

Closed ziaur-r closed 1 year ago

ziaur-r commented 1 year ago

Hi Friends,

I have observed outdated commander package (v2.20.X) being used as a transitive dependency in elsa-workflows-studio package as shown below-

+-- @elsa-workflows/elsa-workflows-studio@2.8.2 | +-- d3@7.6.1 | | -- d3-dsv@3.0.1 | |-- commander@7.2.0 | +-- dagre-d3@0.6.4 | | -- d3@5.16.0 | |-- d3-dsv@1.2.0 | | -- commander@2.20.3 deduped |-- tslint@6.1.3 | -- commander@2.20.3 deduped +-- codelyzer@6.0.2 |-- aria-query@3.0.0 | -- commander@2.20.3 deduped +-- concat@1.0.3 |-- commander@2.20.3 +-- eclint@2.8.1 | -- editorconfig@0.15.3 |-- commander@2.20.3 deduped -- sonarqube-scanner@2.8.1 -- download@6.2.5 -- decompress@4.2.1 -- decompress-tarbz2@4.1.1 -- seek-bzip@1.0.6 -- commander@2.20.3 deduped

But this commander package version has been marked End-Of-Life already - https://github.com/tj/commander.js/security Can you please let me know when is the plan to update latest commander version in elsa dependency?

sfmskywalker commented 1 year ago

Unfortunately, this is an implicit dependency introduced with d3 and/or d3-dagre - the latter one being deprecated as well, and last time I checked there was no replacement available. Which means we'd have to fork the project and update it.

If someone wants to help with that, that would be great.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.