ix-aggrid is peerDependent to vulnerable versions of Ag Grid

Question

ix-aggrid is peerDependent to vulnerable versions of Ag Grid

karakuz opened this issue 4 months ago · 1 comments

Prerequisites

I have read the Contributing Guidelines.
I have not leaked any internal/restricted information like screenshots, videos, code snippets, links etc.

What happened?

according to package-lock.json, @siemens/ix-aggrid is peerDependent to aggrid for versions ^28 || ^29 || ^30 and ag-grid packages vulnerable to Prototype Pollution for versions < 32.0.1

We can not deploy changes since having vulnerability scanner in our pipelines.
Using npm ci while building

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @siemens/ix-aggrid@2.1.6
npm ERR! Found: ag-grid-community@32.1.0
npm ERR! node_modules/ag-grid-community
npm ERR!   ag-grid-community@"^32.1.0" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer ag-grid-community@"^[28]() || ^29 || ^30" from @siemens/ix-aggrid@2.1.6
npm ERR! node_modules/@siemens/ix-aggrid
npm ERR!   @siemens/ix-aggrid@"^2.1.3" from the root project

"node_modules/@siemens/ix-aggrid": {
      "version": "2.1.6",
      "resolved": "https://registry.npmjs.org/@siemens/ix-aggrid/-/ix-aggrid-2.1.6.tgz",
      "integrity": "sha512-Jo/XmPbhlcZIf1EuQ/h8+HpQX27JWbb+e9Y5QsYNNU9TbTEZoOkKKx3jhZqHne0whm442Cs6ByRWBR2x3As3qw==",
      "dependencies": {
        "@siemens/ix": "~2.4.1"
      },
      "peerDependencies": {
        "ag-grid-community": "^28 || ^29 || ^30"
      }
    }

What type of frontend framework are you seeing the problem on?

JavaScript

Which version of iX do you use?

2.4.1

Code to produce this issue.

please check above

Answer 1 · 2024-08-26T06:54:59.000Z

The dependency update is already tracked via #1131. I will close this issue here.