The vulnerabilities are for everyone right?
I've compiled the general template and I see this as well, just want to confirm
5 vulnerabilities (2 moderate, 3 high)
This is for everyone because of wasp's dependency on outdated express version correct?
Also,
Wasp is absolutely wonderful and the future of making apps, the way you all have seamlessly integrated emails, jobs, authentication, CRUD, - I am so impressed.
5 Replies
Hi @Adam. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Yes, the vulnerabilities you're seeing are likely due to dependencies that Wasp has on certain packages. It's important to note that these vulnerabilities are not unique to your project but are present in the packages that your project depends on.
Wasp, like many other frameworks, relies on a number of third-party packages. These packages, in turn, may have their own dependencies. If any of these packages or their dependencies have known security vulnerabilities, those vulnerabilities will be reported when you install your project's dependencies.
In the case of Express, Wasp uses it as a middleware for its applications. If the version of Express used by Wasp has known vulnerabilities, those will be reported as well.
It's always a good practice to keep your dependencies up-to-date to minimize the risk of security vulnerabilities. However, updating dependencies can sometimes introduce breaking changes, so it should be done carefully.
And thank you for your kind words about Wasp! The team is indeed working hard to make it a powerful and easy-to-use tool for building web applications. Your feedback is greatly appreciated!
Sources:
- Github Issue (closed): TODO tutorial, db studio command errors with prisma ECONNREFUSED > Comments Part 2 (https://github.com/wasp-lang/wasp/issues/356)
- Docs > Advanced > Configuring Middleware (https://wasp-lang.dev/docs/advanced/middleware-config)
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @Adam, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?
This is for everyone because of wasp's dependency on outdated express version correct?That's correct, yes. It's not ideal, but I"ve looked at these vulnerabilities the other day and (this is going to sound terrible π ) they are not as serious as that message implies. The highest one is a DoS attack vector that can only be triggered if you're using a very specific react router feature which I don't think Wasp even supports. So I'd say you're safe. Still, we're currently in the "update all the stuff" effort and hope to get this sorted sooner rather than later.
Also, Wasp is absolutely wonderful and the future of making apps, the way you all have seamlessly integrated emails, jobs, authentication, CRUD, - I am so impressed.That's very nice to hear! Just out of curiosity, how long have you been working with web apps, and what else have you tried? We're always interested in hearing how we stack against other ways of doing things, even it's not in our favor (especially then).
Thanks @sodic, and again thanks for your work!
Experience - back end developer for 3 years.
I was using the Remix Blues stack, then got a bit annoyed with the unneeded complexities - wasp simplifies a lot of complexities - (although looking forward to the non-relative imports soon π writing /../../../ makes me super confused haha!)
I think you all are now getting a lot more traction and soon wasp will be the goto framework, happy to be here and happy to have you all - you all rock!
Yeah, the relative paths are very annoying, I hope we can fix that very soon. Here's the relevant issue: https://github.com/wasp-lang/wasp/issues/2247
I've added your message inside to help prioritize it
I think you all are now getting a lot more traction and soon wasp will be the goto framework, happy to be here and happy to have you all - you all rock!Thanks for the kind words and wishes, and I hope you're right! π€ π