Npm audit error because of json-schema-generator package
mariouhrin opened this issue · comments
Describe the bug
I'm using this library with prism for building simple mock server service and during CI/CD pipeline build I got a lot of npm audit
vulnerabilities. Because of that my pipeline failed.
The old depedencies for json-schema-generator
library is causing this npm audit vulnerabilities.
To Reproduce
- git clone https://github.com/stoplightio/http-spec
- cd http-spec
- npm install
- npm audit
Expected behavior
You will get high and medium npm audit vulnerabilities like below:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.1.3 <4.0.0 || >=4.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @stoplight/prism-cli │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @stoplight/prism-cli > @stoplight/prism-http > │
│ │ @stoplight/http-spec > json-schema-generator > request > │
│ │ hawk > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/720 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Environment (remove any that are not applicable):
- Node v12.14.0
- npm v6.13.4
- Mac OS (iterm2)
@mariouhrin I've updated all the possible dependencies in #96 but unfortunately the problem will persist at this stage. We'd need to bump somehow the thing in json-schema-generatot somehow
Thanks for your work,
The problem main problem is the old request package for json-schema-generator
Last update for that json-schema-generator was 3 years ago, seems like a dead project
Yeah I saw that. The project might be old but it still works great for our use case. I'm open to other suggestions though!
Sorry for my late response, I was on vacation
So for me it would be something nice to have, because the service I built was just swagger mock server with example data and security check via npm audit can be skipped.
If there are no alternatives for json-schem-generator then lets keep it