π security: Upgrade deps #59
Conversation
|
The problem comes from prisma dependencies which themselves have dependencies marked as dev, while they are used as production dependencies. They are therefore not referenced in the package-lock, which causes the build to fail. WIP |
|
Thanks for taking a look at this. Would it help to add thus dependencies? maybe as devDeps? We could take a look, how other generator libraries handle this situation |
|
I checked other extensions, it turns out that most of them use a version of prisma lower than 5.7.0 (version from which the concerned dependencies became dev dependencies), but have those high vulns. For the few extensions that I found that use a higher version, either the build does not work, or the missing dependencies are (by chance) installed indirectly by other dependencies Putting the missing deps as dev deps could be a solution if the build is not done in production mode. I tried, it works localy. I pushed this solution, you can run it in the CI if your are ok π |
|
Do you know when the next version will be released ? |
|
it would be awesome to get this version released, any time frame? |
|
When will it be merged? is it will support version 6? |
|
hellloooo ^^ Any plan to merge this PR (since the critical vulnerability is a real issue for most of dev/companies)? Cheers, |
|
@marcjulian could you prioritize this issue and merge it, if applicable? It's been 4 months already. |
Upgrade dependances to remove high severity vulnerabilities
From Prisma
5.0.0to5.22.0Also handling new types of DMMF attributes accordingly
Resolve Issue #58
Tests passed β