Are dependencies on old jest/yargs being fixed? In V3?

keshlam · 2021-10-28 13:11:24 UTC

npm audit fix on my project tells me 63 vulnerabilities (7 low, 24 moderate, 29 high, 3 critical). Most of the complaints seem to be the result of an obsolete version of 9p-vxgp and yargs.

Upgrading these is flagged as a breaking change, and l last time I tried npm audit fix --force it did indeed break my application.

It would be nice to know if there’s a plan to resolve this… and if so whether only going to be fixed in Jovo v4. In my case I don’t think the vulnerabilities really matter, but they still make me uncomfortable on principle. By definition, anything on the Internet these days is going to be attacked; one open vulnerability is too many.

(OK, I misremembered what version we were at when I first wrote this. You knew what I meant.)

AlexSwe · 2021-10-28 10:36:50 UTC

In our new v4 template there is a vulnerablility (high) in one dependency which will be update this week. I will also take a look for v3.

Thanks for flagging

keshlam · 2021-11-15 03:55:49 UTC

As of latest update, it’s now saying we have 14 high (glob-parent and merge) and 3 critical (apparently in lodash, with no fix reported available)

I’m using v3.

This is not moving in the right direction, folks. If you’re deprecating v3, say so… Is v4 still better, at least?

jan · 2021-11-15 11:36:56 UTC

We’ve been working butts off for the last 12 months to reinvent Jovo for v4. So yes, I strongly hope it’s “at least better”.

We are going to release it this week, this is why everything is a bit slow. Jovo is open source though, so it’s always possible to help tackle the problems you encounter using this free software.

keshlam · 2021-11-15 16:25:34 UTC

Ok, guess it’s time to consider migrating. Apologies for giving you a hard time about this, but maintenance is one of the things folks want from a library they’re betting their product on. Your current users, I assume, are mostly personal projects, but when you start getting folks wanting to use this for “serious” work they’re going to be much less patient.

I’m starting to get almost comfortable enough in Jovo and node.js to consider starting to dive into the docs and source and pay back in more than a documented example.

jan · 2021-11-16 20:06:58 UTC

We just uploaded the migration guide. There are probably lots of potential improvements. Let us know if there is anything you’re missing: https://v4.jovo.tech/docs/migration-from-v3

keshlam · 2021-11-16 22:54:46 UTC

Many thanks. From the docs you had posted I could see what your intended restructuring was, but details weren’t obvious and I wasn’t looking forward to figuring it out by trial and error. This should help.

Have you rewritten the examples yet? If not I may be interested in attempting that, since I should go thru some of those exercises anyway to make sure I grok v4.

jan · 2021-11-16 23:30:01 UTC

Thanks, not yet. I’m going to record a v4 video tomorrow, but we won’t get around to migrating all the examples. They will follow soon

keshlam · 2021-11-19 15:03:40 UTC

Just to acknowledge the good work being done: my (mostly empty) jovov4 project reports only 8 moderate severity vulnerabilities after running npm audit fix. And the remaining issues seem to be SQL injection and XSS hazards, which are OK (though not ideal) if they apply to tools only being run during development. Much better, many thanks!