-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Npm Audit Failure #208
Comments
Looks like google-discovery-to-swagger and raml-to-swagger aren't really maintained anymore. Perhaps there are other modules that can be used instead? |
Thanks all. I updated some deps using |
Feel free to ask for help 👍 |
Per company rules I can't use this module because of this. If you can't get the dependencies fixed, wouldn't an easy fix on your side be to make those dependencies optional? Right now I don't convert from RAML or Google Discovery so I don't even need those packages but there are not optional and raise a red security flag :( |
That's a great idea! Looks like we'd just have to edit the code a bit to handle missing I won't have time in the near future to get to this, but will happily accept a PR. |
@bobby-brennan you're all set if you want to review see #218 |
They also could be on Based on the reading of the peer dependencies https://npm.github.io/using-pkgs-docs/package-json/types/peerdependencies.html, the formaters could be considered as plugins that the user should install manually as per requirement. Furthermore, The only downside is console spamming of WARNs for each of the peer dependencies. |
Dependencies are optional now. |
2 of the dependencies of api spec converter 2.7.32, google-discovery-to-swagger and raml-to-swagger, both require an out-dated version of jsonpath/static-eval that has security vulnerabilities. (see https://www.npmjs.com/advisories/758 and https://www.npmjs.com/advisories/548).
Can you update your dependencies so they are no longer vulnerable?
The text was updated successfully, but these errors were encountered: