Create bulk action scripts, automate your tasks, manage your projects, and seamlessly interact with the Ory Network using the Ory command line interface (CLI).
This is neither a bug nor a sensitive vulnerability, but I was directed here by an Ory rep. NPM reports 4 moderate severity vulnerabilities on install of ory/cli. The deal is that ory/cli depends on a version of binwrap, which depends on request (4 years depricated), which depends on tough-cookie 2.5.0. A vulnerability was found in June 2023 affacting tough-cookie versions prior to 4.1.3.
I take it this is not a concern to you, since this vulnerability has stood for the better part of a year. But if that's the case, I'd appreciate it if you'd share why. You've got Slack and a discussions channel here on Github (and a few silently closed PRs from dependabot) but I have yet to see anything addressing this.
I would strongly prefer to keep my NPM vulnerabilities to 0. I'm only beginning my project with Ory and I don't yet have a great grip on how all the peices fit together, e.g. how necessary this package is for development/production. So I can see the resolution being "you should use ory/cli as a dev dependency only" or "you can just not use ory/cli" or "sorry, try Keycloak or SuperTokens I guess".
I appreciate your time!
Reproducing the bug
npm install @ory/cli
Relevant log output
No response
Relevant configuration
No response
Version
0.3.2
On which operating system are you observing this issue?
Preflight checklist
Ory Network Project
No response
Describe the bug
This is neither a bug nor a sensitive vulnerability, but I was directed here by an Ory rep. NPM reports 4 moderate severity vulnerabilities on install of ory/cli. The deal is that ory/cli depends on a version of binwrap, which depends on request (4 years depricated), which depends on tough-cookie 2.5.0. A vulnerability was found in June 2023 affacting tough-cookie versions prior to 4.1.3.
I take it this is not a concern to you, since this vulnerability has stood for the better part of a year. But if that's the case, I'd appreciate it if you'd share why. You've got Slack and a discussions channel here on Github (and a few silently closed PRs from dependabot) but I have yet to see anything addressing this.
I would strongly prefer to keep my NPM vulnerabilities to 0. I'm only beginning my project with Ory and I don't yet have a great grip on how all the peices fit together, e.g. how necessary this package is for development/production. So I can see the resolution being "you should use ory/cli as a dev dependency only" or "you can just not use ory/cli" or "sorry, try Keycloak or SuperTokens I guess".
I appreciate your time!
Reproducing the bug
npm install @ory/cli
Relevant log output
No response
Relevant configuration
No response
Version
0.3.2
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
None
Additional Context
No response