nestjs-asyncapi icon indicating copy to clipboard operation
nestjs-asyncapi copied to clipboard

Published 20 hours ago verified publisher icon flamewow

Indirect dependency vulnerability through @asyncapi/generator

Open anfern777 opened this issue 1 year ago • 2 comments

Describe the bug "request" package has known vulnerabilities and is present in nestjs-asyncapi dependency tree through @asyncapi/generator

Details The request package, which is deprecated and has known vulnerabilities, is being included as a transitive dependency in the nestjs-asyncapi package. Below is the detailed dependency chain:

[email protected]
├── @asyncapi/[email protected]
│   └── @npmcli/arborist@^2.2.4
│       └── @npmcli/metavuln-calculator@^1.1.0
│           └── pacote@^11.1.11
│               └── @npmcli/run-script@^1.8.2
│                   └── node-gyp@^7.1.0
│                       └── request
└── @asyncapi/[email protected]
    └── @npmcli/arborist@^2.2.4
        └── @npmcli/run-script@^1.8.2
            └── node-gyp@^7.1.0
                └── request

Proposed solution Upgrade @asyncapi/generator dependency to its latest minor version

Additional context Full description of the vulnerability here: https://github.com/advisories/GHSA-p8p7-x288-28g6

anfern777 avatar Aug 01 '24 08:08 anfern777

Hello! Thank you for filing an issue.

If this is a bug report, please include relevant logs to help us debug the problem.

github-actions[bot] avatar Aug 01 '24 08:08 github-actions[bot]

I confirm this issue. Would the update to a recent async release introduce BC ?

lc-spxl avatar Sep 12 '24 13:09 lc-spxl