-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency Updates #244
Comments
Hey @lernerb! We do actually have it on our roadmap. Are these the main vulnerabilities brought up by your compliance team? |
Those are the only three that the current dependency rules aren't overriding due to package rules (e.g. ~/^)! I'd highly recommend if possible to keep dependencies up to date based on Dependabot and to enable repo Security checks - it'll tell ya'll when there are security advisories and will attempt to do the first patch. (and it makes your life easier when there's a major breaking change - to not be so far behind). All of the latest packages for those 3 above have patched out the issues - they're pretty widely used JS packages. Thanks for responding so quickly! |
Will work with the team to get this prioritized for our next sprint. |
created an item to pull this into our next sprint |
@lernerb The package is open-source, PR's are always welcome. |
Thank you @mprew97 - we've updated on our end and see it as fixed as well! We are able to locally patch over the second PR while we wait for that to get merged as well. |
Hey @mprew97 - do ya'll and the rest of iterable plan on updating most of the moderate/critical security dependencies against the iterable-web-sdk? It's one of the only libraries left in our react app that has a ton of updated vulnerabilities, and our compliance team is asking us to upgrade as we're in the finance world. We would like to avoid manually patching so many updates, as it's usually simpler for the dependency to keep up to date with min versions.
Please let us know.
The text was updated successfully, but these errors were encountered: