-
-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minimist dependency fails package audit #528
Comments
Thanks for reporting. Any suggestions on what we can do here specifically? Upon first sight it looks more like it needs fixing upstream? |
It may very well need to be fixed upstream. In my particular case, I am ok without the GC stats so maybe extracting those metrics into their own package. But that may be more of an annoyance than anything |
Yes, if I could I'd move away from a library not passing an audit but if it's a transitive dependency or a core dependency to the library I don't see how that's possible. Can you also open an issue upstream maybe? |
Yeah, I see the problem. I will try to identify where shall I open the issue. And let you know. |
So far: I cannot install gc-stats because it cannot be built and there is no prebuilt binary. -> no audit problems When I install @prompster/metrics@4.1.13 -> the audit problems show off. So, I am not really sure which upstream to create the issue in. no-pre-gyp has no issue and I cannot verify gc-stats because it does not build. Any hints? |
I also tried to install @promster/metrics with the --no-optional flag with no success, gc-stats still shows up in the package-lock and causes the audit problem |
|
I am still looking for a solution, but some bigger fires need to be put down first 😉 |
We finally decided to implement ourselves the metrics we need from fastify in a very non-generic manner. |
Describe the bug
After installation of package, audit checks in our pipelines fail.
The culprit are several minimist dependencies from gc-stats
To Reproduce
Steps to reproduce the behavior:
Expected behavior
No error.
found 0 vulnerabilities
Screenshots
More information
Reproduced in MacOS.
❯ node --version
v14.8.0
❯ npm --version
6.14.7
Also reproduces in Azure pipelines agent, Ubuntu 18.04
The text was updated successfully, but these errors were encountered: