search

lightstep / lightstep-tracer-javascript

Lightstep distributed tracing library for Node.js and the browser
https://lightstep.com
MIT License
77 stars 66 forks source link

Update thrift version to 0.10.0 #114

Closed ja30278 closed 6 years ago

ja30278 commented 6 years ago

Thrift version 0.9.2 includes an unnecessary production dependency on 'nodeunit', which in turn pulls in dependencies on 'tap' and 'nyc'.

In addition to the obvious problems, this can cause issues for users of 'yarn', due to poor interactions with 'yarn check' and 'nyc's use of 'bundledDependencies'.

This uses version 0.10.0 of thrift rather than the more recent 0.11.0 release, due to the latter's use of a version of 'ws' that does not support older node versions.

testing: This passes 'make test-all', but no other testing was done.

tedpennings commented 6 years ago

This PR also fixed a security vulnerability! 🎉

It'd be great to get a new version released when you have a chance, so I can update my code and remove the vulnerability.

invisionapp_trapezoid-console_package_json___snyk

For what it's worth, I'm not sure sure that supposed DOS attack from Snyk is very likely. But it's better not to have the finding at all! 🚓

bcronin commented 6 years ago

@tedpennings , I published a new version just now. Let me know if there are any issues with the new version!

tedpennings commented 6 years ago

Thanks @bcronin!