You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When installing dc-delivery-sdk-js via npm install, there is a high severity vulnerability reported.
Steps to Reproduce
There are of course many ways to do this, but from "scratch":
mkdir example && cd example && npm init --yes && npm install dc-delivery-sdk-js --save
Expected Results
Install dependencies without any reported high severity vulnerabilities
Actual Results
npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN example@1.0.0 No description
npm WARN example@1.0.0 No repository field.
+ dc-delivery-sdk-js@0.9.0
added 5 packages from 7 contributors and audited 5 packages in 1.025s
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
It looks like there is an approved PR from dependabot here: #29 that has this bump, it looks like it was approved on January 5th but not merged. I obviously no no insight into why something may or may not be merged, but I'd like to be able to use this package in places where there are strict requirements that there no be no high priority vulnerabilities. We could resolve our own version of Axios, etc, but ultimately we want to make sure we're using officially supported libraries / the SDK.
The text was updated successfully, but these errors were encountered:
Reading the upstream issue (axios/axios#3369) I don’t believe we are impacted, this vulnerability is related to the Axios proxy feature, our SDK doesn't allow you to specify a proxy.
Are you able to supply a code example that demonstrates that we are directly impacted by this issue?
Regarding #29, any change to our SDK needs to be approved by our internal QA team before it can be released, so even though our unit tests pass, etc. it still requires an QA approval.
I cannot give any estimates to when this will be done at the current time.
Description
When installing
dc-delivery-sdk-js
vianpm install
, there is a high severity vulnerability reported.Steps to Reproduce
There are of course many ways to do this, but from "scratch":
Expected Results
Install dependencies without any reported high severity vulnerabilities
Actual Results
Affected browsers/environments
I believe anything using this package.
Versions
Other information
It looks like there is an approved PR from
dependabot
here: #29 that has this bump, it looks like it was approved on January 5th but not merged. I obviously no no insight into why something may or may not be merged, but I'd like to be able to use this package in places where there are strict requirements that there no be no high priority vulnerabilities. We could resolve our own version of Axios, etc, but ultimately we want to make sure we're using officially supported libraries / the SDK.The text was updated successfully, but these errors were encountered: