Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump package latest-version to latest version to resolve SNYK-JS-GOT-2932019 #2825

Open
hubofgitongithub opened this issue Apr 5, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@hubofgitongithub
Copy link
Contributor

Describe the bug
Our security scanner is triggering on:

[email protected]:
    Found vulnerabilities: 
    - Open Redirect – medium severity, https://snyk.io/vuln/SNYK-JS-GOT-2932019
    Dependency path (1 of 2): @useoptic/[email protected][email protected][email protected][email protected]

Later versions of latest-version use package-json 10 or higher. These versions do not depend on got anymore and thus resolving this security vulnerability.

@hubofgitongithub hubofgitongithub added the bug Something isn't working label Apr 5, 2024
@niclim
Copy link
Contributor

niclim commented Apr 8, 2024

Hi - this is a duplicate of this issue #2414.

Summary is we're having issues on upgrading these packages because these are ESM only supported packages it would require some work to update Optic to fully support this.

Last time I dug into this I think we ran into issues with our packaging (we use vercel/pkg, which doesn't support ESM) and needing to update importing of any ESM package (to use dynamic imports, to natively import requires more work). We're looking into options but we haven't gotten around to fixing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants