Swagger-tools raising security risks

Question

Swagger-tools raising security risks

Opened this issue 5 years ago · 5 comments

Hi Team,
we are using swagger-tools and now our security team has raised a License issue with it as Swagger is using json-refs which inturn is using Slash.
Slash is flagged as vulnerable with GPL license.
Our current version is:
Swagger-tools : 0.10.1
→ json-refs : 2.1.7
→slash : 1.0.0 (Vulnerable)
we can upgrade it but slash vulnerability still remains and slash not in development from 2006.
Could you please let us know if we have any alternative here. It is very critical as our production release will be stuck.

Answer 1 · 2019-06-13T22:20:34.000Z

Hi Swagger Team,
please let me know if there is any work around on this.
thanks
Sumit

Answer 2 · 2019-06-20T09:00:10.000Z

Looks like this is an abandoned project, they should state that in their README

Answer 3 · 2019-06-20T20:32:29.000Z

I'll take a peek. Development on swagger-tools is halted, with only high impact bug fixes being implemented at this time. Please see #335 for more details.

Answer 4 · 2020-03-17T14:31:02.000Z

can there a release of swagger-tools with just updated third party modules? This will fix lot of security related issues.

Answer 5 · 2022-06-13T09:10:51.000Z

@whitlockjc is swagger-tools being deprecated? I would like to understand if vulnerabilities will be fixed.
Also, sway-connect doesn't seems to be a recent project and active mantained.
What is the alternative to swagger-tools that is being maintained?