Multiple vulnerabilities in app-config dependencies

[danielsitnik]

Hi guys, it's me again. 😄
I've been using app-config for some time now and it's been working great.

However, I can't help but notice that the current version has a number of high and critical vulnerabilities:

As I'm working in a corporate environment, our applications are subject to vulnerability scanning and our security guys will start questioning me about these issues very soon. 😁

I'd like to ask if you can look into it and maybe fix the vulnerable versions in a 2.8.7 release?

Also, is there any news on when can we expect the new version 3? I'm really hopeful for the more modular approach that should be introced in it.

Thanks!

[joelgallant]

I'm updating some today, although my time is stretched very thin lately. Version 3 is still somewhere on my bucket list, but I wouldn't want to get anyone's hopes up.

[danielsitnik]

Thank you @joelgallant!
It's been reduced to just a "high" vulnerability in node-fetch now.

[joelgallant]

Could you yarn why node-fetch? I believe this is from quicktype-core -> isomorphic-fetch, which we can't update w/o a breaking change. We don't use the XHR request part of that lib anyways, so it should be safe.

[danielsitnik]

Yep, it comes from quicktype-core: