W
Waspβ€’6mo ago
Harish

Dependabot Vulnerability Alerts for Internal Dependencies

I have created a project using Wasp, based on a simplified version of the OpenSaaS template. I am receiving several Dependabot Vulnerability alerts in the GitHub repository related to the following internal dependencies of Wasp: - ws - express - follow-redirects - axios - undici I am currently using Wasp version 0.13.2. Is there a way to update these packages? Alternatively, is there a newer version of Wasp available that addresses these vulnerabilities? Link to my GH repo: https://github.com/airtai/fastagency-wasp-app-template/security/dependabot Thank you for your assistance.
14 Replies
kapa.ai
kapa.aiβ€’6mo ago
Hi @Harish. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- Based on the provided knowledge sources, there isn't a direct way to update the internal dependencies of Wasp. Wasp dictates the exact versions of certain packages, and you are not allowed to define the same npm dependency yourself while specifying a different version. If you do that, you will get an error message telling you which exact version you have to use for that dependency source (https://wasp-lang.dev/docs/project/dependencies). However, the Wasp team is actively working on updates and new versions. For example, a new version of Wasp that allows any Node version >= 18 is expected to be released soon source (https://github.com/wasp-lang/wasp/issues/1684). To update your Wasp CLI, you can run the installer again with curl -sSL <https://get.wasp-lang.dev/installer.sh> | sh. If you already have Wasp installed, it will tell you to run it a bit differently to overwrite those files source (https://github.com/wasp-lang/wasp/issues/616). Unfortunately, the provided knowledge sources do not include information about a newer version of Wasp that addresses the vulnerabilities you mentioned. I recommend checking the Wasp GitHub repository (https://github.com/wasp-lang/wasp) for the latest updates and releases. If you have further questions or need assistance, consider opening an issue in the Wasp GitHub repository or joining the Wasp Discord community. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Harish, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
miho
mihoβ€’6mo ago
Link to my GH repo: https://github.com/airtai/fastagency-wasp-app-template/security/dependabot
I get a 404 when I try to access the repository.
Is there a way to update these packages?
Are the alert for the app or blog? if they are for blog you can update the Astro deps freely. If they are for app, which ones are for the app? cc: @Vinny (@Wasp)
Vinny (@Wasp)
Vinny (@Wasp)β€’6mo ago
I believe most of them are coming from Astro, actually but maybe not in this case
Vinny (@Wasp)
Vinny (@Wasp)β€’6mo ago
as i see they're not using the Astro blog, @miho https://github.com/airtai/fastagency-wasp-app-template
GitHub
GitHub - airtai/fastagency-wasp-app-template: This is the SaaS temp...
This is the SaaS template FastAgency uses to generate client applications. - airtai/fastagency-wasp-app-template
Harish
HarishOPβ€’6mo ago
Yup, we are not using the blog. The below are the packages that needs an upgrade:
ws
express
follow-redirects
axios
undici
ws
express
follow-redirects
axios
undici
miho
mihoβ€’6mo ago
We'll release Wasp 0.14.0 sometimes this month, so we can upgrade those as needed πŸ‘
Harish
HarishOPβ€’6mo ago
Thanks
MEE6
MEE6β€’6mo ago
Wohooo @Harish, you just became a Waspeteer level 3!
Harish
HarishOPβ€’6mo ago
I have also got an security alert for @grpc/grpc-js package which is used by "@google-analytics/data": "4.1.0". So "@google-analytics/data": "4.1.0" also needs an upgrade. https://github.com/wasp-lang/open-saas/blob/main/template/app/package.json#L7
GitHub
open-saas/template/app/package.json at main Β· wasp-lang/open-saas
A free, open-source SaaS app starter for React & Node.js with superpowers. Production-ready. Community-driven. - wasp-lang/open-saas
miho
mihoβ€’6mo ago
If the dep is in the package.json you can update it yourself πŸ˜„ only the deps that Wasp controls are out of your reach. cc: @Vinny (@Wasp) does this mean we need to update the version in the template?
Vinny (@Wasp)
Vinny (@Wasp)β€’6mo ago
we will be updating the template to Wasp v0.14 in a couple weeks
Harish
HarishOPβ€’6mo ago
Yup, I could have updated the package.json directly but was not sure if the latest version of @google-analytics/data is supported by wasp. I could see a few packages including @google-analytics/data for which the versions are fixed in the package.json file in the open-saas-template. Anyways, I will wait for the next release πŸ™‚
Vinny (@Wasp)
Vinny (@Wasp)β€’6mo ago
As Miho said, you are free to update any of the dependencies in the package.json file. So if there is a vulnerability in the google analytics package, you would want to try and update it. Because you've made significant changes to the template, you will have to manage those dependencies yourself. Only the dependencies internal to Wasp would change (e.g. Prisma, React-query) when updating Wasp versions, and Google Analytics is not one of them.
Harish
HarishOPβ€’6mo ago
Sure, Thanks
Want results from more Discord servers?
Add your server