cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon asyncapi

Dependencies have known vulnerabilities

Open trevordixon opened this issue 1 year ago • 12 comments

@asyncapi/cli is the only dependency in our project that depends on packages with vulnerabilities according to npm audit. Is upgrading to rely only on patched versions of dependencies a goal of the project, or should we assess the risk of individual vulnerabilities on our own and find a way to ignore vulnerabilities whose risk we deem acceptable?

trevordixon avatar Aug 04 '23 10:08 trevordixon

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

github-actions[bot] avatar Aug 04 '23 10:08 github-actions[bot]

@trevordixon hey, thanks for opening the issue. We rely on dependabot across the whole org, and I just checked that it was disabled in this repo. I don't know why, but anyway, just enabled it. We definitely want to have CLI always up to date with patches to solve quickly any vulnerability issues.

cc @Souvikns @magicmatatjahu

feel free to also open a PR for specific patches that you need in place

derberg avatar Aug 07 '23 11:08 derberg

dependabot started kicking in -> https://github.com/asyncapi/cli/pulls?q=is%3Apr+author%3Aapp%2Fdependabot 💪🏼

I guess I can close this issue?

derberg avatar Aug 08 '23 15:08 derberg

@derberg I think the most critical vulnerability is still present in the vm2 dependency, indirectly included via spectral-cli. Upgrading spectral-cli from 6.6.0 to 6.9.0 should resolve that one though. I started with a PR patching this but a bunch of tests failed and I need to find the time to understand and resolve the failures. If you get a chance to look at it before me that would be very much appreciated 😄

mattias-persson avatar Aug 09 '23 10:08 mattias-persson

@mattias-persson even if tests are failing, please open a PR so I can have a look, maybe will have some hints

derberg avatar Aug 09 '23 14:08 derberg

Done @derberg! https://github.com/asyncapi/cli/pull/750

mattias-persson avatar Aug 09 '23 14:08 mattias-persson

This issue has been automatically marked as stale because it has not had recent activity :sleeping:

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience :heart:

github-actions[bot] avatar Dec 08 '23 00:12 github-actions[bot]

There are still many vulnerabilities. These can be fixed by an audit with version regressions (0.8.1). But this in turn causes other problems. When using the asyncapi cli, errors are thrown that modules cannot be found ([MODULE_NOT_FOUND] Error Plugin: @asyncapi/cli: Cannot find module '@oclif/plugin-help/lib/command')

KristinaB162 avatar May 06 '24 12:05 KristinaB162

still relevant

Amzani avatar May 07 '24 09:05 Amzani

@KristinaB162 The highest severity issues are present in the dependencies we don't have control over: @oclif/plugin-commands and @oclif/plugin-warn-if-update-available Created https://github.com/oclif/plugin-commands/issues/661

Amzani avatar May 07 '24 10:05 Amzani