Vulnerability due to Version fixation of third parties libraries
-
How do we Remediate a vulnerability where the solution is to upgrade a dependent library( async) for nodebb,, as we cant upgrade explicitly
-
If you don't want to upgrade nodebb to get the newer version of async, you can just upgrade it in package.json and run
npm i asyncornpm i async@<version>to get specific version. Keep in mind not all version will work with all versions of nodebb. Async had some breaking changes over the years so make sure you test before upgrading. -
Thanks baris , but my question was , we are running latest nodebb , but the async version which runs in the latest version has some bugs, now the remediation that we got offered from scanning tool is to upgrade the async version ,, but won't that mean if we do changes in an open source code, we need to make the code public ? also explicitly upgrading libraries might break the application ..
-
(not legal advice)
package.json is generated by NodeBB running on your server, so I don't think it's covered under GPL. During usage of NodeBB it's modified whenever you install a plugin for instance.
That said, if you have a specific update in mind, please do at least open an issue so we can add it to install/package.json
