fixes deprecated & vulnerable phin dependency version #12
Conversation
DevonAM
changed the title
DevonAM
changed the title
DevonAM
changed the title
|
This seems to hit quite a few people depending on |
|
Unfortunately, it looks like I've been removed from all Experience-Monks repositories, so I'd have to fork this repo and re-publish a patch (I still hold the npm package). |
|
Ergh, I'm sorry 😅 sounds pretty straightforward though, are you up for it? |
|
@mattdesl I've added you to the repo if you are up to continue maintaining it |
|
This should be fixed now in the latest commit and npm publish, let me know if that works. I've tweaked your PR slightly to stick with error handling and a callback-style approach (function continues to return void), and added a server test. Ideally this module should be repurposed to get rid of XHR/server/request features altogether, which would reduce its surface area for attacks and such, but I'm not sure how that would break dependants who might want/expect this feature to exist after so long. |
|
Thanks a lot for the awesome work @mattdesl ! 🥳 nice to have snyk finally say that it detected no vulnerabilities ! (Btw I saw that there is no tag on the github repo for 1.4.2) |
|
Tag pushed! |
What kind of change does this PR introduce? (check at least one)
" Updated the phin dependency to a non-deprecated, non-vulnerable version and updated the usage.
Does this PR introduce a breaking change? (check one)
Did you test your solution?
The original test.js passed all tests.
Problem Description
The dependency [email protected] is deprecated and is marked as a vulnerability.
Solution Description
Updated phin to a non-deprecated version, 3.7.1.
The phin function no longer accepts a callback function, it returns an object of type
Promise<http.serverResponse>, updated the call to await this function call and only pass in opt. The result is passed into a refactored version of handleData.Side Effects, Risks, Impact
Additional comments:
Fixes #11