redocly-cli icon indicating copy to clipboard operation
redocly-cli copied to clipboard
verified publisher icon Redocly

Deprecated `glob` version used

Open andenacitelli opened this issue 1 year ago • 8 comments

Overview

I use @redocly/cli as a linting step against the OpenAPI spec in my project.

pnpm warns me of deprecated subdependencies in my project:

$ pnpm i
 WARN  2 deprecated subdependencies found: [email protected], [email protected]

Using pnpm why, the glob one seems to come from @redocly/cli:

$ pnpm why [email protected]
...
devDependencies:
@redocly/cli 1.25.11
└── glob 7.2.3

And notably, the other deprecated subdependency ([email protected]) itself comes through the deprecated glob version (which is potentially why the glob version was deprecated)

$ pnpm why [email protected]
...
devDependencies:
@redocly/cli 1.25.11
└─┬ glob 7.2.3
  └── inflight 1.0.6

Desired Fix

Bump the used version of glob to a non-deprecated version.

Versions

  • @redocly/[email protected], latest at time of issue submission
  • M2 Mac, likely irrelevant

andenacitelli avatar Nov 18 '24 14:11 andenacitelli

Thanks @andenacitelli for letting us know!

tatomyr avatar Nov 18 '24 14:11 tatomyr

Hey! I'm interesting about an update, I'm using @redocly/[email protected]

└─┬ @redocly/[email protected] └─┬ [email protected] └── [email protected]

I would like to adress this warning about inflight

npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.

Thanks!

matthieuLepetit avatar Jan 03 '25 15:01 matthieuLepetit

Hey @matthieuLepetit, it is on our to-do list. We just don't have enough bandwidth to work on it yet.

tatomyr avatar Jan 03 '25 15:01 tatomyr

Hi @tatomyr thank you for your quick update !

I just made a PR https://github.com/Redocly/redocly-cli/pull/1843

I hope I followed correctly your conventions.

If you have some bandwith for some review do not hesitate.

Have a great day !

matthieuLepetit avatar Jan 13 '25 09:01 matthieuLepetit

Thanks, @matthieuLepetit! The main thing here is to test if it doesn’t break anything for us. I'll be able to do that a bit later this week (I hope).

tatomyr avatar Jan 13 '25 10:01 tatomyr

Curious if there are any updates on this.

rikvanthof avatar Mar 17 '25 11:03 rikvanthof

Hi we also ran into this issue while trying to use redocly. I don't think it's a blocker for us but it would be nice to have this resolved.

jachym-tousek-keboola avatar Apr 10 '25 11:04 jachym-tousek-keboola

We expect it to be fixed in v2.

DmitryAnansky avatar Apr 11 '25 09:04 DmitryAnansky

Is there an ETA on that? Looking to get this vulnerability resolved. https://cwe.mitre.org/data/definitions/772.html

garrett-whitehorn-cengage avatar Jul 09 '25 20:07 garrett-whitehorn-cengage

@garrett-whitehorn-cengage this has been fixed in v2. You may start using the pre-release next version before we go launch the stable version. I'm currently preparing the migration guide, but in general you should be able to use it with minimal changes (except for resolving deprecations, see the changelog).

tatomyr avatar Jul 10 '25 08:07 tatomyr

Resolved in v2.

tatomyr avatar Jul 24 '25 21:07 tatomyr