spectaql NPM audit vulnerabilities

Hello,

We have an installation of SpectaQL v1.5.3 in our project. We are seeing some issues when running npm audit. It is recommending us to downgrade to v0.0.2 to fix the vulnerabilities. Currently, there are 11 vulnerabilities listed for SpectaQL.

11 vulnerabilities (3 moderate, 6 high, 2 critical)

Do you plan on bumping the versions for the dependencies that SpectaQL uses?

Thanks

Aug 29 '22 14:08 alMWI

Hmm. Will have a look.

Aug 29 '22 14:08 newhouse

I just installed SpectaQL on a project of mine and GitHub's dependabot went crazy when I pushed it. So yeah... it would be really great to upgrade some dependencies (the reported vulnerabilites apparently come from lodash)

Oct 12 '22 23:10 moritz157

Well nvm my earlier comment - after reading #303 I understand the problem better

Oct 13 '22 19:10 moritz157

I just installed SpectaQL on a project of mine and GitHub's dependabot went crazy when I pushed it. So yeah... it would be really great to upgrade some dependencies (the reported vulnerabilites apparently come from lodash)

Medium term I plan to fork/replicate/replace all the unmaintained junk that has these vulns so that we are squeaky clean at all times.

Oct 20 '22 17:10 newhouse

I am aiming to take care of this in the 2.0 release.

Nov 11 '22 22:11 newhouse

@newhouse , is there any estimate/timeline for when there's a hope to see v2.0 release?

Nov 27 '22 20:11 knidarkness

Aiming for this week @knidarkness

Nov 28 '22 18:11 newhouse

@moritz157 @knidarkness @alMWI All vulnerabilities should now be fixed in v2. There are some breaking changes to upgrading, but they should not be too difficult to address.

Closing this for now, but let me know if you have any issues with audits.

Dec 08 '22 18:12 newhouse

spectaql spectaql copied to clipboard

NPM audit vulnerabilities

spectaql
spectaql copied to clipboard