Nicolai

"No workers available" is just the condition where no worker is idle. Isn't that the point of dynamically scaling workers? To allocate additional workers when they are all busy? If...

Maybe you could consider "scale-in-delay" as a parameter. So it will wait minimum x ms between starting new workers. This way you get immediate response for the first dynamic worker...

> > I don't know about the internals of how this works, but waiting more than 50-100ms for a worker seems to defeat the purpose of auto-scaling. > > yes,...

But why is it a problem creating 5 more workers if all 10 are busy? For this example to make sense, you'd have to receive 15 requests in < 50ms....

I've been investigating this issue. 1.2.0 never included the vulnerable code. The vulnerability was introduced in a commit made after 1.2.0 was released (https://github.com/satori/go.uuid/commit/0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c), and no version was ever released...

> @nickdnk some additional context is that at the time the package manager ecosystem was in flux and there were a couple of tools that allowed users to easily use...

I did. They essentially just said that 1.2.0 is not vulnerable and no action is required -- which is true, however, it still comes up as a vulnerability when we...

> Abandonware is a supply chain risk unto itself and it's disappointing they're taking the pedantic stance. NIST has a moderation issue for the NVD currently, so it'll be hit...

Anecdotally, Github says this on their CVE page (if you click the link in my previous comment): "Unfortunately, the latest tagged release is vulnerable to this issue" How is that...

> Isn't Slim using a DotEnv parsing library or something like that overriding `$_ENV`? It's something quite common in frameworks. No. I load dotenv myself and set the variables that...