fix: jobs vulnerability #1799
Merged
fix: jobs vulnerability #1799
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TBonnin
force-pushed
the
tbonnin/NAN-453/api-package-vuln
branch
3 times, most recently
from
17ac8cd
to
f60677e
Compare
jobs depends on the api package to make request to render api This package suffers from a vulnerability of one of its dependency, specifically the lodash.setWith package which is actually deprecated. There is a PR open for api to use full lodash instead of per method packages (which are deprecated) but it has not been merged yet. readmeio/api#859 This commit replaces the api package used to generate a render sdk from their openapi spec by a home-made RenderAPI class (40 lines of code)
TBonnin
force-pushed
the
tbonnin/NAN-453/api-package-vuln
branch
from
f60677e
to
16b93cc
Compare
|
TBonnin
commented
Mar 5, 2024
| @@ -31,6 +31,7 @@ | |||
| "ajv-errors": "^3.0.0", | |||
| "axios": "^1.2.0", | |||
| "byots": "^5.0.0-dev.20221103.1.34", | |||
| "chalk": "^5.3.0", | |||
There was a problem hiding this comment.
unrelated but chalk was not declared as CLI dependency
bodinsamuel
reviewed
Mar 5, 2024
| @@ -31,6 +31,7 @@ | |||
| "ajv-errors": "^3.0.0", | |||
| "axios": "^1.2.0", | |||
| "byots": "^5.0.0-dev.20221103.1.34", | |||
There was a problem hiding this comment.
unrelated, do we use this byots package? it seems not, or at least not imported 🤔
There was a problem hiding this comment.
good question. It is a bit out of the scope of this PR. I only happen to touch CLI package.json because it wouldn't compile without explicitly set chalk as a dependency but I am sure there is a some more cleanup to do
There was a problem hiding this comment.
Agree of out of scope but we used byots in an earlier iteration of the compilation of the typescript files for the cli, but now use ts-node instead.
TBonnin
force-pushed
the
tbonnin/NAN-453/api-package-vuln
branch
from
215ddf1
to
38fae7d
Compare
bodinsamuel
approved these changes
Mar 5, 2024
khaliqgant
approved these changes
Mar 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
jobs depends on the
apipackage to make request to render api This package suffers from a vulnerability of one of its dependency, specifically the lodash.setWith package which is actually deprecated.There is a PR open for
apito use full lodash instead of per method packages (which are deprecated) but it has not been merged yet. readmeio/api#859This commit replaces the
apipackage used to generate a render sdk from their openapi spec by a home-made RenderAPI class (40 lines of code)Issue ticket number and link
https://linear.app/nango/issue/NAN-453/[credal]-fix-jobs-vulnerability
Checklist before requesting a review (skip if just adding/editing APIs & templates)