Sonatype reports vulnerabilities in i18next version used by aurelia-i18n

Question

Sonatype reports vulnerabilities in i18next version used by aurelia-i18n

adityazagade opened this issue 4 years ago · 3 comments

Library Version:
3.1.4
Operating System:
Windows10
Node Version:
v12.21.0
NPM Version:
6.14.11
Browser:
all
Language:
(Don't know what to put here)
all | TypeScript X.X | ESNext

Current behavior:
Sonatype has reported security vulneribilities in i18next v14.1.1
sonatype-2020-0598 8.1 i18next : 14.1.1
sonatype-2020-0577 7.5 i18next : 14.1.1
sonatype-2021-0184 7.5 i18next : 14.1.1

CVSS scores of 8.1, 7.5 are high.

However using 19.8.5 by doing npm forced causes build to fail with the following error:
/aurelia-i18n/dist/aurelia-i18n.d.ts(8,49): error TS2503: Cannot find namespace 'i18next'.
/aurelia-i18n/dist/aurelia-i18n.d.ts(12,49): error TS2503: Cannot find namespace 'i18next'.
/aurelia-i18n/dist/aurelia-i18n.d.ts(29,43): error TS2503: Cannot find namespace 'i18next'.
/aurelia-i18n/dist/aurelia-i18n.d.ts(31,37): error TS2503: Cannot find namespace 'i18next'.
/aurelia-i18n/dist/aurelia-i18n.d.ts(36,39): error TS2503: Cannot find namespace 'i18next'.
/aurelia-i18n/dist/aurelia-i18n.d.ts(173,31): error TS2503: Cannot find namespace 'i18next'.
TypeScript: 6 semantic errors

I think that the changes made i18next 19.0.0 have cause these breaking changes. Pls look at their change.md file for more details.

What is the expected behavior?
All these are fixed in i18next version 19.8.5 or higher. Could this dependency be updated?

Answer 1 · 2021-05-13T06:04:46.000Z

By changing the import statement in aurelia-i18n.d.ts, to

import * as i18next from "i18next";

I was able to build.

Answer 2 · 2021-05-13T06:06:08.000Z

@zewa666 @Sayan751 @krisha2

Answer 3 · 2021-06-28T14:56:16.000Z

Is there any plan to roll this package upgrade into a future release?