Ross Coundon
02/28/2022, 12:57 PMFrank
@serverless-stack/cli@0.60.8
└─┬ aws-cdk@2.7.0
└─┬ proxy-agent@5.0.0
└─┬ pac-proxy-agent@5.0.0
└─┬ pac-resolver@5.0.0
└─┬ degenerator@3.0.1
└── vm2@3.9.5
degenerator
fixed the vm2
vulnerability in 3.0.2
, but pac-resolver
hasn’t updated its dep to use the newew degenerator
.Frank
vm2
in ur package.json:
"resolutions": {
"vm2": "3.9.9"
},
Frank
More generally, what’s the release strategy for new versions of aws-cdk-lib?Currently it’s still request based. But it makes sense that we automate this process using GitHub Actions. 🤔
Chad (cysense)
03/01/2022, 3:14 AM@serverless-stack/cli@0.60.8
then can this not just be put in devDepenendancies
?
If its in devDepenencies
npm audit won't flag it. But more importantly the vulnerable code won't be in your production app so effectively the risk will be managed.Frank
cli
to devDependencies
in our templates?thdxr
03/01/2022, 4:32 AM