This repository has been archived by the owner on Jan 11, 2024. It is now read-only.
Update request dependency with patched version #110
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello! I work for a company that leverages this SDK and ran into what appears to be a security vulnerability from a transitive dependency.
We run
nsp check
to audit our dependencies.We pull in
optimizely-client-sdk@1.6.0
, which in turn pulls in the server SDK. The server SDK is flagged for us because of a vulnerability in hoek, which is transitive fromrequest
.Upgrading hoek removes the issue.
This can't really be verified using a unit test, but can be checked using the following:
nsp check
in the repo root of master (either vianpx
or via a global installation). Should see something similar to the above screenshot.nsp check
again. Should see "No known vulnerabilities found"I think this will also require a corresponding version change in the client SDK's 1.6 branch to use a caret with the published version of this, should it get merged.
Let me know if you have any questions / concerns!
Best,
Austin