On vulnerable / deprecated dependencies #1290
Description
On vulnerable dependencies
This thread serves two purposes:
- To explain what issues to not create on this tracker, and
- To provide a place to ask questions regarding vulnerabilities & auditing
What issues to not create
A transitive dependency is a dependency of another dependency. This library can EG. depend on dependency A, which in turn depends on B. In this case, B can be considered a transitive dependency.
Issues regarding transitive dependencies are often not actionable. For instance, if a vulnerability has been detected in B, then installing this library will contain said vulnerability. It's not until both B has been updated and A's dependency on B has been updated, that this library can be updated.
Below is an example of npm audit output (from #1277). This illustrates a vulnerability of a transitive dependency (@badeball/cypress-cucumber-preprocessor -> find-cypress-specs -> tsx -> esbuild) and was at the time not actionable, IE. nothing could be done in this repository to remedy the vulnerability warning.
esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install @badeball/[email protected], which is a breaking change
node_modules/tsx/node_modules/esbuild
tsx >=3.13.0
Depends on vulnerable versions of esbuild
node_modules/tsx
find-cypress-specs >=1.42.0
Depends on vulnerable versions of tsx
node_modules/find-cypress-specs
@badeball/cypress-cucumber-preprocessor >=21.0.0
Depends on vulnerable versions of find-cypress-specs
node_modules/@badeball/cypress-cucumber-preprocessor
Issues regarding transitive dependencies usually don't belong on this tracker. You might have better luck looking at the trackers of each dependency in the dependency chain, to see if vulnerability-ticket has been created already.
What issue to create
If you find that a specific and direct dependency can be updated, then you may open up an issue to request so. Renovate is used to periodically and automatically update dependencies. Thus, if you find that a dependency has been updated but the change not yet released, you may also open up an issue to request so.
What questions to post here
You can ask a variety of questions here, however there are certain type of questions in which I likely won't engage in: questions about npm usage, questions about renovate usage or similar tools, workarounds in regards to vulnerabilities, and possibly more. However, others are encouraged to contribute with solutions if faced with the same issues.
On deprecated dependencies
Everything explained above about vulnerable dependencies goes for deprecated dependencies as well. Unless your issue regarding a deprecated dependency is actionable, it probably doesn't belong in the issue tracker (yet).