New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable dependancy #7402
Comments
@robinMcA thanks for reporting. PR that patches that in a framework is highly welcome |
cc @richarddd (dependency on |
Looks like the issue will be in download as well, download use |
any update on this guys ? |
I've opened also issue at I'd give a moment for package authors to recover. If that'll turn dragging I believe we need to replace them with alternatives. |
Any update resolution on this guys? |
Any news? It looks like decompress is no longer maintained. Any plans to move to an alternative? |
It's quite easy to get rid of Still we also depend on PR that reliably get rids of both of those dependencies is welcome! |
Hi, unsure if I should create another brand new issue or tag into this existing issue since this issue's title seem generic enough. ( my first time ) There are 2 more security vulnerable dependencies. Both can be easily remediated by
|
Hi everyone! Let's replace decompress with something else! Maybe https://www.npmjs.com/package/adm-zip |
any update on this ? |
@richarddd that'll be great. Still just replacing |
There's a |
It looks like the original package also got an update: kevva/decompress#73 (comment) |
PR to merge the change into |
The latest versions of both decompress and download should resolve this issue. The NPM advisory has been updated as well: https://www.npmjs.com/advisories/1217 |
@neverendingqs thanks! I'll prepare the PR that updates both decompress and download dependencies |
It's great to hear that! With next release (coming today or on Monday latest) we'll have those dependencies bumped. |
Closing as that was addressed with one of latest releases |
Bug Report
Description
If a yarn or npm audit is part of the CI/CD builds will fail.
Raising the issue here because there has been no action on the issue in the library.
npm audit or yarn audit
serverless fails because of this https://www.npmjs.com/advisories/1217
serverless passes
serverless.yml
file?N/A
SLS_DEBUG=*
environment variable (e.g.SLS_DEBUG=* serverless deploy
)N/A
Similar or dependent issues:
The text was updated successfully, but these errors were encountered: