optic icon indicating copy to clipboard operation
optic copied to clipboard
verified publisher icon opticdev

Bump package `latest-version` to latest version to resolve SNYK-JS-GOT-2932019

Open hubofgitongithub opened this issue 1 year ago • 1 comments

Describe the bug Our security scanner is triggering on:

[email protected]:
    Found vulnerabilities: 
    - Open Redirect – medium severity, https://snyk.io/vuln/SNYK-JS-GOT-2932019
    Dependency path (1 of 2): @useoptic/[email protected][email protected][email protected][email protected]

Later versions of latest-version use package-json 10 or higher. These versions do not depend on got anymore and thus resolving this security vulnerability.

hubofgitongithub avatar Apr 05 '24 09:04 hubofgitongithub

Hi - this is a duplicate of this issue https://github.com/opticdev/optic/issues/2414.

Summary is we're having issues on upgrading these packages because these are ESM only supported packages it would require some work to update Optic to fully support this.

Last time I dug into this I think we ran into issues with our packaging (we use vercel/pkg, which doesn't support ESM) and needing to update importing of any ESM package (to use dynamic imports, to natively import requires more work). We're looking into options but we haven't gotten around to fixing this.

niclim avatar Apr 08 '24 19:04 niclim