openapi-generator-cli icon indicating copy to clipboard operation
openapi-generator-cli copied to clipboard

Published 20 hours ago verified publisher icon OpenAPITools

[BUG] outdated dependencies, specifically @nestjs/core

Open seanmc86 opened this issue 2 years ago • 6 comments

🐛 Bug Report:

It appears that many dependencies used have fixed version numbers in package.json and have not been updated in some time.

Describe the bug

@nestjs/core has a vulnerability raised by dependabot: "@nestjs/core vulnerable to Information Exposure via StreamableFile pipe" The @nestjs/core version 8.4.4 was released nearly a year ago: https://github.com/nestjs/nest/releases/tag/v8.4.4

I'd recommend updating this dependency as soon as possible, and investigating others that may also be outdated.

seanmc86 avatar Mar 08 '23 11:03 seanmc86

This should be getting fixed in this PR #693

OptoCloud avatar Mar 16 '23 08:03 OptoCloud

It would be nice to upgrade to 9.0.5 or greater to avoid the security vulnerability. Or you could unpin the dependency doing something like "^9.0.5" to allow consumers to sidestep future vulnerabilities without a change to this library.

kradical avatar Mar 21 '23 21:03 kradical

This should be getting fixed in this PR #693

It appears that said PR was merged but no new release was made? Any chance this will be released soon?

TheOlinone avatar Apr 03 '23 08:04 TheOlinone

I think we are all waiting... It is annoying to get 2 moderate severity vulnerabilities on each npm i run. Anyone available here?

ribeaud avatar Apr 04 '23 19:04 ribeaud