CVE check denying ramda@0.28.0 which is dependent on by pact-foundation/pact

Question

CVE check denying ramda@0.28.0 which is dependent on by pact-foundation/pact

julielaursen opened this issue 8 months ago · 3 comments

julielaursen commented 8 months ago

Software versions

Please provide at least OS and version of pact-js

OS: Mac OS Sonoma 14.5
Consumer Pact library: @pact-foundation/pact 12.5.0
Node Version: v18.20.2

Issue Checklist

Please confirm the following:

I have upgraded to the latest
I have the read the FAQs in the Readme
I have triple checked, that there are no unhandled promises in my code and have read the section on intermittent test failures

Expected behaviour

Pact should not cause issues in Fossa vulnerability scanning software

Actual behaviour

In our Fossa step in CI, we are getting this error

This license is denied by your licensing policy.
This issue exists in a transitive dependency.

for version ramda (0.28.0)
When i run yarn why ramda I get:

├─ @pact-foundation/pact@npm:12.5.0
│  └─ ramda@npm:0.28.0 (via npm:^0.28.0)
│

I suspect this may be the same issue as
#962
and #880

Because Fossa is required in CI, this blocks our CI for all PRs moving forward

Answer 1 · 2024-05-20T23:48:32.000Z

Ramda just needed an update. Strange snyk/dependabot didn't pick this up yet.

In any case, it will be fixed in the next release.

Answer 2 · 2024-05-21T16:14:52.000Z

@mefellows my team is blocked completely by this, do you have an ETA on when that next release might be?

Answer 3 · 2024-05-21T21:54:41.000Z

You should really build your CI systems to be resilient to such things. This is a development dependency, what's the actual risk? It's just security theatre.

There are ways to replace packages that are vulnerable using yarn, I'd suggest you do that for now as a workaround until the next release is out.