search

opencollective / opencollective-cli

Command Line Interface for Open Collective
MIT License
17 stars 12 forks source link

increase version of inquirer dependency to rid of warnings #17

Open srguiwiz opened 4 years ago

srguiwiz commented 4 years ago

The solution would be in package.json to increase:

  "inquirer": ">=7.0.0",

and

  "version": "1.0.5",

The problem occurs for example when twice dependent doing an npm install that includes a package that uses opencollective:

joe$ npm audit
                       === npm audit security report ===                        
# Run  npm update lodash --depth 4  to resolve 2 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ javascript-obfuscator [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ javascript-obfuscator > opencollective > inquirer > lodash   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/782                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ javascript-obfuscator [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ javascript-obfuscator > opencollective > inquirer > lodash   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 high severity vulnerabilities in 518 scanned packages

lodash and inquirer fixed theirs. Now opencollective needs a fix before those who depend on it can increase their version number. If they chose something like ~1.0.4 then they don't need to do anything, because it would get 1.0.5.

znarf commented 4 years ago

This package will not receive further update, we suggest to switch to it's replacement, opencollective-postinstall instead, this one doesn't have any dependency.

You can also consider removing the postinstall altogether, see: https://blog.opencollective.com/beyond-post-install/