strongloop / loopback-component-storage

Storage component for LoopBack.
Other
130 stars 155 forks source link

chore: update dependency #285

Open jannyHou opened 4 years ago

jannyHou commented 4 years ago

Update the dependencies:

Solution is from https://github.com/ppproxy/loopback-component-storage/commit/1ab25b68910b37bf0dd2db697ec363a804483e8a

The vulnerability package path is: loopback-component-storage@3.6.3 › pkgcloud@2.2.0 › liboneandone@1.2.0 › mocha@2.5.3 › growl@1.9.2

While liboneandone is not maintained anymore, more discussion see https://github.com/pkgcloud/pkgcloud/issues/644, https://github.com/pkgcloud/pkgcloud/issues/675, https://github.com/pkgcloud/pkgcloud/pull/671

jannyHou commented 4 years ago

Should fix the vulnerability, see the installation message:

jannyHous-MacBook-Pro:loopback-component-storage jannyhou$ npm i
npm WARN deprecated superagent@3.8.3: Please note that v5.0.1+ of superagent removes User-Agent header by default, therefore you may need to add it yourself (e.g. GitHub blocks requests without a User-Agent header).  This notice will go away with v5.0.2+ once it is released.

> ejs@2.7.4 postinstall /Users/jannyhou/Desktop/2019/snyk/loopback-component-storage/node_modules/ejs
> node ./postinstall.js

Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)

npm WARN eslint-plugin-mocha@4.12.1 requires a peer of eslint@^2.0.0 || ^3.0.0 || ^4.0.0 but none is installed. You must install peer dependencies yourself.

added 455 packages from 855 contributors and audited 2594 packages in 34.911s
found 0 vulnerabilities
jannyHou commented 4 years ago

Chatted with @raymondfeng , the best solution would be a new release of https://github.com/1and1/oneandone-cloudserver-sdk-nodejs

I contacted the author in https://github.com/1and1/oneandone-cloudserver-sdk-nodejs/issues/21#issuecomment-574834558, will wait and see if we can use the new release.

hectorleiva commented 4 years ago

Hey all, I really appreciate all the work that has gone into this package to make Strongloop/Loopback a viable framework.

I'm hoping that this can be merged in sometime soon as I continue to get critical and high warnings via npm audit when it seems like this branch resolves these warnings.

Again, I appreciate all the work! Thanks in advance.

pbalan commented 4 years ago

Waiting for this update too.

raymondfeng commented 4 years ago

To those who are concerned, we did the analysis and concluded that the reported vulnerability was transitively from an older version of mocha. No runtime code uses that dependency and it's safe even though a warning is issued by npm audit.

We understand the alerts are annoying. We have tried to get it fixed by upstream modules but no success so far. It's a bit frustrating. We'll see if we have to fork the offending modules and release them under new names.

pbalan commented 4 years ago

@raymondfeng I'd like some help with https://github.com/strongloop/loopback-component-storage/issues/237 Not sure if I should open a new one.

mjaime29 commented 4 years ago

Hey all, I really appreciate all the work, Waiting for this update too.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

KevLehman commented 4 years ago

Is there any update on this? I know that the dependency is not being used, but, the critical thing is very annoying.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

mjaime29 commented 4 years ago

Is there any update on this?

PowerICT commented 4 years ago

Any update on this issue?

lewie6 commented 3 years ago

Hey, any update on this issue?

Gayathri-Nadimpalli commented 3 years ago

Is there any update on this story?

dhmlau commented 3 years ago

Just checked the comment @jannyHou posted above: https://github.com/1and1/oneandone-cloudserver-sdk-nodejs/issues/21#issuecomment-574834558, there's no progress from there.

In the meanwhile, please take a look at @raymondfeng's comment:

No runtime code uses that dependency and it's safe even though a warning is issued by npm audit.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.