app-config icon indicating copy to clipboard operation
app-config copied to clipboard

Published 20 hours ago verified publisher icon launchcodedev

Multiple vulnerabilities in app-config dependencies

Open danielsitnik opened this issue 2 years ago • 4 comments

Hi guys, it's me again. 😄 I've been using app-config for some time now and it's been working great.

However, I can't help but notice that the current version has a number of high and critical vulnerabilities: Screen Shot 2023-02-22 at 16 44 23

As I'm working in a corporate environment, our applications are subject to vulnerability scanning and our security guys will start questioning me about these issues very soon. 😁

I'd like to ask if you can look into it and maybe fix the vulnerable versions in a 2.8.7 release?

Also, is there any news on when can we expect the new version 3? I'm really hopeful for the more modular approach that should be introced in it.

Thanks!

danielsitnik avatar Feb 22 '23 20:02 danielsitnik

I'm updating some today, although my time is stretched very thin lately. Version 3 is still somewhere on my bucket list, but I wouldn't want to get anyone's hopes up.

joelgallant avatar Feb 26 '23 20:02 joelgallant

Thank you @joelgallant! It's been reduced to just a "high" vulnerability in node-fetch now.

danielsitnik avatar Feb 27 '23 21:02 danielsitnik

Could you yarn why node-fetch? I believe this is from quicktype-core -> isomorphic-fetch, which we can't update w/o a breaking change. We don't use the XHR request part of that lib anyways, so it should be safe.

joelgallant avatar Feb 27 '23 23:02 joelgallant

Yep, it comes from quicktype-core:

Screen Shot 2023-03-01 at 17 57 21

danielsitnik avatar Mar 01 '23 20:03 danielsitnik