New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: jobs vulnerability #1799
fix: jobs vulnerability #1799
Conversation
17ac8cd
to
f60677e
Compare
jobs depends on the api package to make request to render api This package suffers from a vulnerability of one of its dependency, specifically the lodash.setWith package which is actually deprecated. There is a PR open for api to use full lodash instead of per method packages (which are deprecated) but it has not been merged yet. readmeio/api#859 This commit replaces the api package used to generate a render sdk from their openapi spec by a home-made RenderAPI class (40 lines of code)
f60677e
to
16b93cc
Compare
@@ -31,6 +31,7 @@ | |||
"ajv-errors": "^3.0.0", | |||
"axios": "^1.2.0", | |||
"byots": "^5.0.0-dev.20221103.1.34", | |||
"chalk": "^5.3.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelated but chalk was not declared as CLI dependency
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice 🚀 Few comments but overall good!
I guess you already have tested this in staging?
@@ -31,6 +31,7 @@ | |||
"ajv-errors": "^3.0.0", | |||
"axios": "^1.2.0", | |||
"byots": "^5.0.0-dev.20221103.1.34", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelated, do we use this byots
package? it seems not, or at least not imported 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good question. It is a bit out of the scope of this PR. I only happen to touch CLI package.json because it wouldn't compile without explicitly set chalk as a dependency but I am sure there is a some more cleanup to do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree of out of scope but we used byots
in an earlier iteration of the compilation of the typescript files for the cli, but now use ts-node
instead.
215ddf1
to
38fae7d
Compare
jobs depends on the
api
package to make request to render api This package suffers from a vulnerability of one of its dependency, specifically the lodash.setWith package which is actually deprecated.There is a PR open for
api
to use full lodash instead of per method packages (which are deprecated) but it has not been merged yet. readmeio/api#859This commit replaces the
api
package used to generate a render sdk from their openapi spec by a home-made RenderAPI class (40 lines of code)Issue ticket number and link
https://linear.app/nango/issue/NAN-453/[credal]-fix-jobs-vulnerability
Checklist before requesting a review (skip if just adding/editing APIs & templates)