Npm Audit Failure #208
Comments
|
The npm audit review: Looks like google-discovery-to-swagger and raml-to-swagger aren't really maintained anymore. Perhaps there are other modules that can be used instead? |
|
Thanks all. I updated some deps using |
|
Feel free to ask for help 👍 |
|
Per company rules I can't use this module because of this. If you can't get the dependencies fixed, wouldn't an easy fix on your side be to make those dependencies optional? Right now I don't convert from RAML or Google Discovery so I don't even need those packages but there are not optional and raise a red security flag :( |
|
That's a great idea! Looks like we'd just have to edit the code a bit to handle missing I won't have time in the near future to get to this, but will happily accept a PR. |
|
@bobby-brennan you're all set if you want to review see #218 |
|
They also could be on Based on the reading of the peer dependencies https://npm.github.io/using-pkgs-docs/package-json/types/peerdependencies.html, the formaters could be considered as plugins that the user should install manually as per requirement. Furthermore, The only downside is console spamming of WARNs for each of the peer dependencies. |
|
Dependencies are optional now. |
2 of the dependencies of api spec converter 2.7.32, google-discovery-to-swagger and raml-to-swagger, both require an out-dated version of jsonpath/static-eval that has security vulnerabilities. (see https://www.npmjs.com/advisories/758 and https://www.npmjs.com/advisories/548).
Can you update your dependencies so they are no longer vulnerable?
The text was updated successfully, but these errors were encountered: