Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mongodb: use driver 4.7.0 #50

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

rodmatos
Copy link

@rodmatos rodmatos commented Jun 13, 2022

Since this project is running on a old mongodb driver version, we should update it.
Will address issue #51

@EricThompson-PeopleReign

It would be great to get this merged in. There are Vulnerabilities in this package that can be remediated by this.

@rodmatos
Copy link
Author

@EricThompson-PeopleReign: I haven't been able to get an answer from the maintainer, so I wouldn't be too hopeful.

@wzrdtales
Copy link
Member

this merge request doesn't attempt to upgrade the version. also we will need to add gitlab actions to the repo now that travis non free. I also don't have an environment with MongoDB right now to do manual testing in case

@rodmatos
Copy link
Author

@wzrdtales: I am aware of that. I am happy to contribute with the upgrade but the whole CI needs a revamp since it is using an outdated toolchain.

@wzrdtales
Copy link
Member

which toolchain you talk about, if you mean vows, not really worth the effort in time, but feel free to replace it with what the other projects already use, hapi lab.

@EricThompson-PeopleReign

I think moving away from vows would be a good idea. It also brings in some vulnerability issues unless it can be upgraded to 0.8.3, but apparently tests break if we do.

@wzrdtales
Copy link
Member

wzrdtales commented Nov 15, 2022

vulnerabilities in dev dependencies don't matter much usually, they don't end up in the end product. Also you will need to learn to distinguish vulnerabilities. As a piece of advice, don't make everything an elephant.

We're talking about CVE of type ReDoS vulnerability, there couldn't be anything less relevant, in a dev dependency. If it is a RCE ok, that is also dangerous over there, even though not actually relevant in most case, since there has to be an actor to exploit which is very unlikely unless you're very specifically targeted by hackers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants