j-rewerts
commented
5 years ago We have a higher sev dependancy that must be upgraded.
Neither impacts our end users, but the tar vulnerability could impact us when we're developing.
Closed j-rewerts closed 5 years ago
j-rewerts
commented
5 years ago We have a higher sev dependancy that must be upgraded.
Neither impacts our end users, but the tar vulnerability could impact us when we're developing.
j-rewerts
commented
5 years ago @CodyGramlich Would you mind making a PR for this when you're free?
j-rewerts
commented
5 years ago @CodyGramlich Sorry for the late review. Could you upgrade Axios as well?
j-rewerts
commented
5 years ago Some history regarding the exploit. We're currently at high risk of a DOS.
CodyGramlich
commented
5 years ago Looking into it right now.
CodyGramlich
commented
5 years ago Axios is a dependency of the @nestjs/common package. The latest version of @nestjs/common is 6.2.4, which has not upgraded axios to 0.19.0 yet. https://github.com/nestjs/nest/commit/c687b5bcda211cc72a7d470906bc80a7a3173e9a#diff-e5ee084bbc7db467b9d6ba0fba1beb9fL15
CodyGramlich
commented
5 years ago https://github.com/nestjs/nest/pull/2311 I think we have to wait until this gets merged and wait for their next release.
j-rewerts
commented
5 years ago @CodyGramlich Can you upgrade Nest to 6.x now? When they cut the minor version, we'll be ready that way.
CodyGramlich
commented
5 years ago Sure. We have to upgrade elasticsearch as well because @nestjs/elasticsearch is a peer dependency of @nestjs/common.
j-rewerts
commented
5 years ago That is pretty unfortunate. Try upgrading and be sure to test the backend.
j-rewerts
commented
5 years ago I'm worried this could alter our schema.
j-rewerts
commented
5 years ago Closed with #125.
Upgrade extend to version 3.0.2 or later