npm WARN deprecated messages and 17 high severity vulnerabilities in lerna #2691
Comments
jimmyandrade
changed the title
|
Hi Folks 👋 You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details). Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves. In order to take this awesome project forward from its current state, it is important that we focus our finite resources on what is most important to lerna users in 2022. With that in mind, we have identified this issue as being potentially stale due to its age and/or lack of recent activity. Next steps: We want to give you some time to read through this comment and take action per one of the steps outlined below, so for the next 14 days we will not make any further updates to this issue. @jimmyandrade as the original author of this issue, we are looking to you to update us on the latest state of this as it relates to the latest version of lerna. Please choose one of the steps below, depending on what type of issue this is:
If we do not hear from @jimmyandrade on this thread within the next 14 days, we will automatically close this issue. If you are another user impacted by this issue but it ends up being closed as part of this process, we still want to hear from you! Please simply head over to our new issue templates and fill out all the requested details on the template which applies to your situation: https://github.com/lerna/lerna/issues/new/choose Thank you all for being a part of this awesome community, we could not be more excited to help move things forward from here 🙏 🚀 |
|
Hi @jimmyandrade following on from the above note, in this case the relevant packages have all been upgraded and you will not see any Many thanks again! |
As a developer installing
lerna, no deprecation/security warning should appear, so my project can pass on Sonar Quality/Security gate from my organization.Expected Behavior
No
npm WARN deprecatedmessages or high severity vulnerabilities should appear.Current Behavior
This is what happens after install:
This is what happens when I run
npm audit fix:This is what happens when I run
npm audit:More 16 similar messages
Possible Solution
requestcould be upgraded;har-validatorcould be removed in favor of another;dot-propcould be upgraded to>=5.1.1(Lerna uses version of dot-prop@4.2.0 which does not include recent security fix #2682, Snyk Medium Severity Vulnrebility - Prototype Pollution in dot-prop dependency #2606, Security Issue with dot-prop and yargs-parser versions used #2575, Security: CVE-2020-8116 (High) detected in dot-prop-3.0.0.tgz, dot-prop-4.2.0.tgz #2492)Steps to Reproduce (for bugs)
npm init;lernaversion3.22.1todevDependencies;npm install;npm audit fix;npm audit.Context
This issue affects me because it won't pass on Sonar Quality/Security gate.
Your Environment
lerna --versionnpm --versionyarn --versionnode --versionThe text was updated successfully, but these errors were encountered: