New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update grpc version when upstream security issue is fixed #1350
Comments
This comes from our gRPC dependency, I'll see if I can bump the version as part of #1320. |
one thing we might want to consider as part of this fix is whether can can
run
npm audit (new in 5.10.x or something something)
and make sure we are clean before we ever publish
|
I love the idea of running the new audit command in CI. Would doing so have caught this specific issue? |
TL;DR, I looked into this after seeing the error pop up in @mehzer's otherwise immaculate video. Sadly, the latest I coded up the rejection of I wish there was a way to only audit immediate dependencies, but that does not appear to be the case. @ellismg and @justinvp in the meantime, should we suppress this for our installer/templates, using |
It looks like grpc/grpc-node#277 tracks taking the fix into upstream. |
While we wait for upstream to fix the security issue, we'll just pass `--no-audit` to `npm install` when creating a new project. Since the warning is against an indirect dependency of @pulumi/pulumi, we can't actually address the issue ourselves. Mitigates #1350
While we wait for upstream to fix the security issue, we'll just pass `--no-audit` to `npm install` when creating a new project. Since the warning is against an indirect dependency of @pulumi/pulumi, we can't actually address the issue ourselves. Mitigates #1350
I've checked in the mitigation such that We'll probably also want to remove the |
This version has an updated protobufs dependency, which will remove the warnings from `npm audit`. Fixes #1350
When installing 0.12.1 NPM packages on Node 8.10 on Linux, I see this:
The text was updated successfully, but these errors were encountered: