Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: resolve shin and urijs vulnerabilities #308

Closed
wants to merge 2 commits into from
Closed

chore: resolve shin and urijs vulnerabilities #308

wants to merge 2 commits into from

Conversation

kleyow
Copy link
Contributor

@kleyow kleyow commented Aug 2, 2021
edited
Loading

mojaloop/project#2354

https://github.com/Mermade/shins is no longer being supported so theres no nice solution to the vulnerability other than permanently ignore it for now.
I don't see an easy way to update shins to https://github.com/Mermade/reslate either.

@kleyow kleyow marked this pull request as ready for review August 2, 2021 04:10
@mdebarros
Copy link
Member

mdebarros commented Aug 3, 2021
edited
Loading

mojaloop/project#2354

https://github.com/Mermade/shins is no longer being supported so theres no nice solution to the vulnerability other than permanently ignore it for now.
I don't see an easy way to update shins to https://github.com/Mermade/reslate either.

Thanks, @kleyow.

The issue is that this needs to be addressed on all projects that have a dependency on @mojaloop/central-services-shared, and ignoring that here will unfortunately not fix that going forward if the dependency tree is generated in those down-stream projects.

Thus I do not believe this PR will fix the issue going forward unless you feel otherwise?

I think we only really have two options here:

  1. replacing shins with reslate; or
  2. replace the current dev-documentation framework with another solution.

Looping in @vijayg10 for his comments.

@kleyow
Copy link
Contributor Author

kleyow commented Aug 3, 2021
edited
Loading

Sorry. I meant to allude to that the vulnerabilties in shin/widershin would need to be ignored permanently in all down-stream projects until a proper fix is in place.

Correct. Those two options are the only ways forward to properly address the vulnerabilities.
I'm on leave atm so when @vijayg10 chimes in we can decide on how this needs to proceed.

@vijayg10
Copy link
Contributor

vijayg10 commented Aug 3, 2021

If reslate can be used to replace shins, then that's easier option.
But I think we can invest some time and investigate if there are any advanced libraries for this purpose.

@mdebarros
Copy link
Member

nk

If reslate can be used to replace shins, then that's easier option.
But I think we can invest some time and investigate if there are any advanced libraries for this purpose.

I agree.

Replacing Shins with Reslate would be the first option.

@mdebarros mdebarros mentioned this pull request Aug 10, 2021
Open
@kleyow
Copy link
Contributor Author

kleyow commented Aug 12, 2021
edited
Loading

Just reiterating that I don't think upgrading to reslate will be trivial. Theres no documentation about upgrading and it doesn't export any similar functions to shins afaik.

Pulling mojaloop/project#2354 back into the backlog since I've been pulled onto other urgent work.

If anyone wants to tackle the upgrade or moving to a different documentation framework, feel free to take this issue.

@kleyow kleyow closed this Aug 24, 2021
@kleyow kleyow deleted the chore/update-vuln branch August 24, 2021 03:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdebarros mdebarros Awaiting requested review from mdebarros

@vgenev vgenev Awaiting requested review from vgenev

@oderayi oderayi Awaiting requested review from oderayi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kleyow @mdebarros @vijayg10