Minimist dependency fails package audit #528
Comments
|
Thanks for reporting. Any suggestions on what we can do here specifically? Upon first sight it looks more like it needs fixing upstream? |
|
It may very well need to be fixed upstream. In my particular case, I am ok without the GC stats so maybe extracting those metrics into their own package. But that may be more of an annoyance than anything |
|
Yes, if I could I'd move away from a library not passing an audit but if it's a transitive dependency or a core dependency to the library I don't see how that's possible. Can you also open an issue upstream maybe? |
|
Yeah, I see the problem. I will try to identify where shall I open the issue. And let you know. |
|
So far: I cannot install gc-stats because it cannot be built and there is no prebuilt binary. -> no audit problems When I install @prompster/metrics@4.1.13 -> the audit problems show off. So, I am not really sure which upstream to create the issue in. no-pre-gyp has no issue and I cannot verify gc-stats because it does not build. Any hints? |
|
I also tried to install @promster/metrics with the --no-optional flag with no success, gc-stats still shows up in the package-lock and causes the audit problem |
|
|
|
I am still looking for a solution, but some bigger fires need to be put down first 😉 |
|
We finally decided to implement ourselves the metrics we need from fastify in a very non-generic manner. |
Describe the bug
After installation of package, audit checks in our pipelines fail.
The culprit are several minimist dependencies from gc-stats
To Reproduce
Steps to reproduce the behavior:
Expected behavior
No error.
found 0 vulnerabilitiesScreenshots
More information
Reproduced in MacOS.
❯ node --version
v14.8.0
❯ npm --version
6.14.7
Also reproduces in Azure pipelines agent, Ubuntu 18.04
The text was updated successfully, but these errors were encountered: