Security alert in dependency (probably not dangerous)

[domoritz]

I'm getting security alerts in my apps for cryptiles and hoek, which are pulled in through the omnisci connector. Can you upgrade your dependencies to resolve these issues?

I doubt that this is alert posing any threat whatsoever but wanted to flag it here so we remove the warnings.

[domoritz]

Ping @jrajav.

[domoritz]

[jonvuri]

@domoritz Hi! Just an update on this - we are tracking the main sources of the vulnerability warnings and will address them by the next major release (not the immediate next release, but the one after). The breakdown:

codecov (the only source for cryptiles and hoek) -
This dependency seems to no longer be required, so we will simply remove it and test.

ws (another source of high-level vulns via Thrift, for node connector alone) -
This one is more complicated, but we are investigating and will upgrade it if at all possible up to 0.12 in order to get past this vulnerability, as well as to pull in another browser-side fix that is now in upstream.

Thanks for the issue, and sorry it's spun for a while now. We'll update here when we address it with a PR.

[domoritz]

I moved codecov to be a dev dependency as a quick fix: #132.

[domoritz]

@jrajav Could you make a release? The last release I see was 8 months ago.

[jonvuri]

@domoritz We just released 5.1.0. The remaining vulnerabilities fall into this category, currently:

• dev dependency
• Thrift

We are investigating a Thrift runtime upgrade to be done shortly, but currently are tied to 0.10.0.