openapi-generator-cli icon indicating copy to clipboard operation
openapi-generator-cli copied to clipboard

Published 20 hours ago verified publisher icon OpenAPITools

[Question] Vulnerability Handling and pinned versions in exposed dependencies

Open skatterwe opened this issue 5 months ago • 5 comments

I was just wondering if it might be an option to at least allow any bugfix version in the dependencies you have specified.

Currently the dependencies are completely fixed. And in a case like now, that a peer dependency has a vulnerability (@nestjs/core) that is, you would need a new release to include the available bugfix.

I was wondering if it might be an option to open up a bit and allow any bugfix versions.

"node_modules/@openapitools/openapi-generator-cli": {
      ...
      "dependencies": {
        "@nestjs/axios": "3.0.2",
        "@nestjs/common": "10.3.0",
        "@nestjs/core": "10.3.0",  // <- this currently has a high vulnerability, but just a clean install won't fix it due to pinned version
        "@nuxtjs/opencollective": "0.3.2",
        "axios": "1.7.4",
        "chalk": "4.1.2",
        "commander": "8.3.0",
        "compare-versions": "4.1.4",
        "concurrently": "6.5.1",
        "console.table": "0.10.0",
        "fs-extra": "10.1.0",
        "glob": "7.2.3",
        "https-proxy-agent": "7.0.4",
        "inquirer": "8.2.6",
        "lodash": "4.17.21",
        "reflect-metadata": "0.1.13",
        "rxjs": "7.8.1",
        "tslib": "2.6.2"
      },
     ...
}

skatterwe avatar Sep 11 '24 10:09 skatterwe