Bump package `latest-version` to latest version to resolve SNYK-JS-GOT-2932019

opticdev / optic

OpenAPI linting, diffing and testing. Optic helps prevent breaking changes, publish accurate documentation and improve the design of your APIs.

https://useoptic.com

MIT License

1.36k stars 83 forks source link

Bump package `latest-version` to latest version to resolve SNYK-JS-GOT-2932019 #2825

Open hubofgitongithub opened 7 months ago

hubofgitongithub commented 7 months ago

Describe the bug Our security scanner is triggering on:

got@9.6.0:
    Found vulnerabilities: 
    - Open Redirect – medium severity, https://snyk.io/vuln/SNYK-JS-GOT-2932019
    Dependency path (1 of 2): @useoptic/optic@0.54.10 ‣ latest-version@5.1.0 ‣ package-json@6.5.0 ‣ got@9.6.0

Later versions of latest-version use package-json 10 or higher. These versions do not depend on got anymore and thus resolving this security vulnerability.

niclim commented 7 months ago

Hi - this is a duplicate of this issue https://github.com/opticdev/optic/issues/2414.

Summary is we're having issues on upgrading these packages because these are ESM only supported packages it would require some work to update Optic to fully support this.

Last time I dug into this I think we ran into issues with our packaging (we use vercel/pkg, which doesn't support ESM) and needing to update importing of any ESM package (to use dynamic imports, to natively import requires more work). We're looking into options but we haven't gotten around to fixing this.