bump request-ip to 3.3.0 in package-lock.json

melvrickgoh commented 1 year ago

an extension of https://github.com/rollbar/rollbar.js/pull/1087, also bump the version of request-ip in package-lock.json

Description of the change

bump request-ip from 2.x to 3.3.0,

x version has a dependency is_js and it has a Vulnerability. I guess there are no > breaking changes between 2. x and 3. x https://ossindex.sonatype.org/component/pkg:npm/is_js@0.9.0?utm_source=dependency-> check&utm_medium=integration&utm_content=7.4.3 For the past 6 years, there is no update for the is_js library.

Updating package-lock.json also avoids the CVE flags by Dependabot for dependency vulnerabilities

Type of change

[x] Bug fix (non-breaking change that fixes an issue)
[x] Maintenance

Related issues

Fix https://github.com/rollbar/rollbar.js/issues/1100

Checklists

Development

[x] Lint rules pass locally
[x] All tests related to the changed code pass in development

melvrickgoh commented 1 year ago

hi @waltjones, could you help take a look at this when free? (it's a continuation of #1087 )

jplaisted commented 10 months ago

FYI this still lists is_js in the lock file. It is no longer transitively reachable; but is still listed. It may need to be removed to"resolve" the vulnerability.

https://github.com/rollbar/rollbar.js/blob/848d5f0a8071147ec5ff35ec949ad29e7d2c901c/package-lock.json#L4752

rollbar / rollbar.js

bump request-ip to 3.3.0 in package-lock.json #1111

Description of the change

Type of change

Related issues

Checklists

Development