Dbdocs CLI using vulnerable modules

Jens · June 22, 2022, 9:50am

It seems the dbdocs client depends on vulnerable versions of
axios <=0.21.1
follow-redirects <=1.14.7
got <11.8.5

Steps to reproduce:
in an environment where npm audit finds nothing
npm install dbdocs
run npm audit again to find 7 vulnerabilities (4 moderate, 3 high)

I am using nodeenv inside my python venv to do this.
Is there any fix for this?
(“npm audit fix --force” does not solve it)

Thi_Nguyen · June 23, 2022, 3:54am

Thank you for reporting the problem, Jens.

Yes, we’ve planned to upgrade the affected dependencies. Will keep you posted when it is available.

There’re some delays due to we’re currently have some higher prioritize things to implement.

Thi_Nguyen · September 23, 2022, 7:46am

Update September 2022: With the release of dbdocs CLI ver 0.7.0, we upgraded the affected dependencies to address vulnerabilities.