Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update heroku-client to patch security issue #8

Open
oskeke opened this issue May 9, 2018 · 1 comment
Open

Update heroku-client to patch security issue #8

oskeke opened this issue May 9, 2018 · 1 comment

Comments

@oskeke
Copy link

oskeke commented May 9, 2018

heroku-client@2.4.3 uses the tunnel-agent dependency with a known security issue, https://nodesecurity.io/advisories/598.

Please update to the 3.0.6 version that contains the patch.
@kjarmicki
Copy link
Contributor

Unfortunately, this is not that easy. There was a massive change of heroku-client interface between 2.x and 3.x and all the convenience methods that we use (like app.addons().create()) are gone. Substantial rewrite would be required to accomodate for the new interface.

That being said, bumping tunnel-agent specifically is still possible - either hacky, by specifying tunnel-agent@0.6.0 directly as a HeroIn dependency and letting npm do the deduplication, or by forking heroku-client@2.4.3, specifying appropriate version there and pointing HeroIn to a fork.

Since I'm phasing out as a maintainer of this project, please feel free to choose the approach and issue a PR :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kjarmicki @oskeke