-
Notifications
You must be signed in to change notification settings - Fork 516
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mv dependency vulnerable #667
Comments
it's been almost a month and no one has responded on the vulnerability. Can one of the owners/maintainers of this project give some input on how you want to fix the issue of a vulnerable dependency? |
we have moved away from this logger. I'm keeping this open so others have visibility on the inactivity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I created an issue on that project: andrewrk/node-mv#33
mv
hasn't been updated in 6 years. It has a vulnerable version ofmkdirp
which has since been updated to completely removed the dependencyminimist
.See CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-7598
I think it's important to keep our projects up-to-date and vulnerability-free. We can wait for the project maintainers to respond, however I feel that a project that hasn't been touched in over 6 years is likely to not garner much support from the creator. Could be wrong.
Courses of Action
1: Wait and See
Give the project maintainers some time to respond. See what they say, if anything. Perhaps they're willing to dust off the project and upgrade their dependencies.
1: Fork, Fix, and Replace
Fork the
mv
library, upgrade the dependencies, publish under a new name that can be housed in anode-bunyan
group of projects to support this awesome logger.3: Move Away from mv
Find an alternative module similar to
mv
but that's been updated to the latest node base. A new module may likely be better with a similar API.I have to say we really like bunyan logger. It's mature, lightweight, and it worked better out of the box than
winston
which was more complicated and didn't like stack traces much without more configuration. Large companies are using this logger. We should take care to keep things up to date to gain wider adoption.The text was updated successfully, but these errors were encountered: