TryQuiet/zbay

Dependabot alerts

Opened this issue · 2 comments

EmiM commented

This task is to sum up the progress of upgrading/removing vulnerable versions of packages OR keep information why we can't upgrade them.

Current vulnerabilities

Waggle:

  • lodash < 4.17.21 (blocked by orbitdb - lodash is dependency of libp2p)
  • hosted-git-info < 2.8.9 (blocked by eslint-plugin-import but they plan to remove the dependency: import-js/eslint-plugin-import#2048)
  • xmlhttprequest-ssl < 1.6.2 (blocked by orbitdb - lodash is dependency of ipfs)
  • private-ip < 2.0.0 (blocked by orbitdb - lodash is dependency of ipfs - orbitdb/orbitdb#882)
  • node-forge < 0.10.0 (blocked by orbitdb)
  • ecstatic < 4.1.3 (dependency of http-server - I removed http-server because we don't use it anyway)
  • normalize-url <4.5.1 (blocked by orbitdb, dependency of ipfs)

ZbayLite

  • sanitize-html < 2.3.2 (version updated)