Dependency Updates

[lernerb]

Hey @mprew97 - do ya'll and the rest of iterable plan on updating most of the moderate/critical security dependencies against the iterable-web-sdk? It's one of the only libraries left in our react app that has a ton of updated vulnerabilities, and our compliance team is asking us to upgrade as we're in the finance world. We would like to avoid manually patching so many updates, as it's usually simpler for the dependency to keep up to date with min versions.

• GHSA-wf5p-g6vw-rhxx
• GHSA-j8xg-fqg3-53r7
• GHSA-c2qf-rxjj-qqgw

Please let us know.

[mprew97]

Hey @lernerb! We do actually have it on our roadmap. Are these the main vulnerabilities brought up by your compliance team?

[lernerb]

Those are the only three that the current dependency rules aren't overriding due to package rules (e.g. ~/^)!

I'd highly recommend if possible to keep dependencies up to date based on Dependabot and to enable repo Security checks - it'll tell ya'll when there are security advisories and will attempt to do the first patch. (and it makes your life easier when there's a major breaking change - to not be so far behind). All of the latest packages for those 3 above have patched out the issues - they're pretty widely used JS packages.

Thanks for responding so quickly!

[mprew97]

Will work with the team to get this prioritized for our next sprint.

[mprew97]

created an item to pull this into our next sprint

[thebiltheory]

@lernerb The package is open-source, PR's are always welcome.

[mprew97]

Hey @lernerb, just an update here:

The Axios security issue has been fixed. You can pull the latest release for that one. There is a separate PR I have open to resolve a bunch of other outdated dependency and security issues here.

[lernerb]

Thank you @mprew97 - we've updated on our end and see it as fixed as well! We are able to locally patch over the second PR while we wait for that to get merged as well.