Open pedroresende opened 1 year ago
There are a number of deprecations coming from this module:
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
Dependency chains for the three deprecations:
└─┬ @storybook/blocks@7.2.1
└─┬ @storybook/components@7.2.1
└─┬ @storybook/icons@1.1.2
└─┬ @svgr/plugin-svgo@5.5.0
└── svgo@1.3.2
└─┬ @storybook/blocks@7.2.1
└─┬ @storybook/components@7.2.1
└─┬ @storybook/icons@1.1.2
├── axios@1.4.0
└─┬ figma-api-exporter@0.0.2
├── axios@0.19.2
└─┬ figma-js@1.16.0
└── axios@0.21.4
└─┬ @storybook/blocks@7.2.1
└─┬ @storybook/components@7.2.1
└─┬ @storybook/icons@1.1.2
└─┬ @svgr/plugin-svgo@5.5.0
└─┬ svgo@1.3.2
└── stable@0.1.8
Thanks a lot for looking into it @pedroresende @silverwind. The icon library doesn't have any dependencies. We only use these libraries locally to generate the icons from Figma. But I agree that we should take the time to fix it. The generator is not built with ESM and I'm not an expert of that. To update all libraries I believe we should fix this all together.
I see that https://github.com/storybookjs/icons/commit/d2f8113c08f1a6e596ea3a220f38b80a4cae33db moved all dependencies to devDependencies
, so they will no longer install with 1.1.3 or above and this issue is resolved for users of the module. Developers may theoretically still be vulnerable, though.
Yes you're right @silverwind. I'll keep this issue open as this is still something I would love to resolve. I tried to convert our generator to ESM and updating all packages at the same time but I couldn't work everything out just yet.
I opened https://github.com/slawomirkolodziej/figma-api-exporter/issues/10 over there at the otherpackage to ask about the changes between 0.0.2
and 1.0.0
for what it's worth
Describe the bug
You're using and outdated version of figma-api-exporter, which has a high security vulnerability because it's using axios
Steps to reproduce the behavior