[Question] Vulnerability Handling and pinned versions in exposed dependencies

[skatterwe]

I was just wondering if it might be an option to at least allow any bugfix version in the dependencies you have specified.

Currently the dependencies are completely fixed. And in a case like now, that a peer dependency has a vulnerability (@nestjs/core) that is, you would need a new release to include the available bugfix.

I was wondering if it might be an option to open up a bit and allow any bugfix versions.

"node_modules/@openapitools/openapi-generator-cli": {
      ...
      "dependencies": {
        "@nestjs/axios": "3.0.2",
        "@nestjs/common": "10.3.0",
        "@nestjs/core": "10.3.0",  // <- this currently has a high vulnerability, but just a clean install won't fix it due to pinned version
        "@nuxtjs/opencollective": "0.3.2",
        "axios": "1.7.4",
        "chalk": "4.1.2",
        "commander": "8.3.0",
        "compare-versions": "4.1.4",
        "concurrently": "6.5.1",
        "console.table": "0.10.0",
        "fs-extra": "10.1.0",
        "glob": "7.2.3",
        "https-proxy-agent": "7.0.4",
        "inquirer": "8.2.6",
        "lodash": "4.17.21",
        "reflect-metadata": "0.1.13",
        "rxjs": "7.8.1",
        "tslib": "2.6.2"
      },
     ...
}

[lucasgonze]

The latest @nestjs/core has the same type of hard-coded version dependency, and it points straight to the vulnerable version: "path-to-regexp": "3.2.0". Turtles all the way down.

Need to get a fix into @nestjs/core , then get that released, then get that release version into @openapitools/openapi-generator-cli" using the fix you described above, then get the fixed @openapitools/openapi-generator-cli" into whatever your own package is. To track the fix see nestjs/nest#13955

[wing328]

#801 filed by @tomarad

please review when you guys have time

[numidia2015]

I also kindly ask for the review :-)

[skatterwe]

The latest @nestjs/core has the same type of hard-coded version dependency, and it points straight to the vulnerable version: "path-to-regexp": "3.2.0". Turtles all the way down.

Need to get a fix into @nestjs/core , then get that released, then get that release version into @openapitools/openapi-generator-cli" using the fix you described above, then get the fixed @openapitools/openapi-generator-cli" into whatever your own package is. To track the fix see nestjs/nest#13955

@lucasgonze I see. Yeah i was not checking it completely down the tree, this lib was one of the entry points so i was just wondering if that pinned versions where done on purpose or if its an option to open up to ease those vulnerability updates up a bit.

In our projects we for example have one dependency fixed because this beautiful dependency likes to introduce breaking changes in bugfix versions :D.

[wing328]

just merged the fix

please give it a try with the latest release (which will be published shortly)