chore(deps): use lodash instead of per method packages #859
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jdleesmiller
changed the title
kanadgupta
changed the title
3 tasks
TBonnin
added a commit
to NangoHQ/nango
that referenced
this pull request
Mar 5, 2024
jobs depends on the api package to make request to render api This package suffers from a vulnerability of one of its dependency, specifically the lodash.setWith package which is actually deprecated. There is a PR open for api to use full lodash instead of per method packages (which are deprecated) but it has not been merged yet. readmeio/api#859 This commit replaces the api package used to generate a render sdk from their openapi spec by a home-made RenderAPI class (40 lines of code)
TBonnin
added a commit
to NangoHQ/nango
that referenced
this pull request
Mar 6, 2024
jobs depends on the `api` package to make request to render api This package suffers from a vulnerability of one of its dependency, specifically the lodash.setWith package which is actually deprecated. There is a PR open for `api` to use full lodash instead of per method packages (which are deprecated) but it has not been merged yet. readmeio/api#859 This commit replaces the `api` package used to generate a render sdk from their openapi spec by a home-made RenderAPI class (40 lines of code) ## Issue ticket number and link https://linear.app/nango/issue/NAN-453/[credal]-fix-jobs-vulnerability ## Checklist before requesting a review (skip if just adding/editing APIs & templates) - [ ] I added tests, otherwise the reason is: - [ ] I added observability, otherwise the reason is: - [ ] I added analytics, otherwise the reason is:
|
Thanks for approving the CI runs. It looks like a generic CI failure... which I am not sure what to do with. It is possible that I have broken something in lerna by not using lerna to remove the package? |
|
Hi! See lodash/lodash#5107, specifically this part:
The |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
馃О Changes
Use of
lodashper method packages is now discouraged (docs), and they appear to be unmaintained and have security vulnerabilities. As explained in the linked docs, depending on lodash is preferred.馃К QA & Testing
The tests on the
apipackage passed locally.