domoritz
commented
5 years ago Ping @jrajav.
Open domoritz opened 5 years ago
domoritz
commented
5 years ago Ping @jrajav.
domoritz
commented
5 years ago 
jonvuri
commented
5 years ago @domoritz Hi! Just an update on this - we are tracking the main sources of the vulnerability warnings and will address them by the next major release (not the immediate next release, but the one after). The breakdown:
codecov (the only source for cryptiles and hoek) - This dependency seems to no longer be required, so we will simply remove it and test.
ws (another source of high-level vulns via Thrift, for node connector alone) - This one is more complicated, but we are investigating and will upgrade it if at all possible up to 0.12 in order to get past this vulnerability, as well as to pull in another browser-side fix that is now in upstream.
Thanks for the issue, and sorry it's spun for a while now. We'll update here when we address it with a PR.
domoritz
commented
5 years ago I moved codecov to be a dev dependency as a quick fix: https://github.com/omnisci/mapd-connector/pull/132.
domoritz
commented
4 years ago @jrajav Could you make a release? The last release I see was 8 months ago.
jonvuri
commented
4 years ago @domoritz We just released 5.1.0. The remaining vulnerabilities fall into this category, currently:
We are investigating a Thrift runtime upgrade to be done shortly, but currently are tied to 0.10.0.
I'm getting security alerts in my apps for cryptiles and hoek, which are pulled in through the omnisci connector. Can you upgrade your dependencies to resolve these issues?
I doubt that this is alert posing any threat whatsoever but wanted to flag it here so we remove the warnings.