New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): use lodash instead of per method packages #859
Conversation
jobs depends on the api package to make request to render api This package suffers from a vulnerability of one of its dependency, specifically the lodash.setWith package which is actually deprecated. There is a PR open for api to use full lodash instead of per method packages (which are deprecated) but it has not been merged yet. readmeio/api#859 This commit replaces the api package used to generate a render sdk from their openapi spec by a home-made RenderAPI class (40 lines of code)
jobs depends on the `api` package to make request to render api This package suffers from a vulnerability of one of its dependency, specifically the lodash.setWith package which is actually deprecated. There is a PR open for `api` to use full lodash instead of per method packages (which are deprecated) but it has not been merged yet. readmeio/api#859 This commit replaces the `api` package used to generate a render sdk from their openapi spec by a home-made RenderAPI class (40 lines of code) ## Issue ticket number and link https://linear.app/nango/issue/NAN-453/[credal]-fix-jobs-vulnerability ## Checklist before requesting a review (skip if just adding/editing APIs & templates) - [ ] I added tests, otherwise the reason is: - [ ] I added observability, otherwise the reason is: - [ ] I added analytics, otherwise the reason is:
Thanks for approving the CI runs. It looks like a generic CI failure... which I am not sure what to do with. It is possible that I have broken something in lerna by not using lerna to remove the package? |
Hi! See lodash/lodash#5107, specifically this part:
The |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
馃О Changes
Use of
lodash
per method packages is now discouraged (docs), and they appear to be unmaintained and have security vulnerabilities. As explained in the linked docs, depending on lodash is preferred.馃К QA & Testing
The tests on the
api
package passed locally.