mv dependency vulnerable
Prophet32j opened this issue · 3 comments
I created an issue on that project: andrewrk/node-mv#33
mv hasn't been updated in 6 years. It has a vulnerable version of mkdirp which has since been updated to completely removed the dependency minimist.
See CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-7598
I think it's important to keep our projects up-to-date and vulnerability-free. We can wait for the project maintainers to respond, however I feel that a project that hasn't been touched in over 6 years is likely to not garner much support from the creator. Could be wrong.
Courses of Action
1: Wait and See
Give the project maintainers some time to respond. See what they say, if anything. Perhaps they're willing to dust off the project and upgrade their dependencies.
1: Fork, Fix, and Replace
Fork the mv library, upgrade the dependencies, publish under a new name that can be housed in a node-bunyan group of projects to support this awesome logger.
3: Move Away from mv
Find an alternative module similar to mv but that's been updated to the latest node base. A new module may likely be better with a similar API.
I have to say we really like bunyan logger. It's mature, lightweight, and it worked better out of the box than winston which was more complicated and didn't like stack traces much without more configuration. Large companies are using this logger. We should take care to keep things up to date to gain wider adoption.
it's been almost a month and no one has responded on the vulnerability. Can one of the owners/maintainers of this project give some input on how you want to fix the issue of a vulnerable dependency?
we have moved away from this logger. I'm keeping this open so others have visibility on the inactivity.