Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE check denying [email protected] which is dependent on by pact-foundation/pact #1217

Closed
3 tasks done
julielaursen opened this issue May 20, 2024 · 3 comments
Closed
3 tasks done
Labels
bug Indicates an unexpected problem or unintended behavior triage This issue is yet to be triaged by a maintainer

Comments

@julielaursen
Copy link

julielaursen commented May 20, 2024

Software versions

Please provide at least OS and version of pact-js

  • OS: Mac OS Sonoma 14.5
  • Consumer Pact library: @pact-foundation/pact 12.5.0
  • Node Version: v18.20.2

Issue Checklist

Please confirm the following:

  • I have upgraded to the latest
  • I have the read the FAQs in the Readme
  • I have triple checked, that there are no unhandled promises in my code and have read the section on intermittent test failures

Expected behaviour

Pact should not cause issues in Fossa vulnerability scanning software

Actual behaviour

In our Fossa step in CI, we are getting this error

This license is denied by your licensing policy.
This issue exists in a transitive dependency.

for version ramda (0.28.0)
When i run yarn why ramda I get:

├─ @pact-foundation/pact@npm:12.5.0
│  └─ ramda@npm:0.28.0 (via npm:^0.28.0)
│

I suspect this may be the same issue as
#962
and #880

Because Fossa is required in CI, this blocks our CI for all PRs moving forward

@julielaursen julielaursen added bug Indicates an unexpected problem or unintended behavior triage This issue is yet to be triaged by a maintainer labels May 20, 2024
@julielaursen julielaursen changed the title Fossa denying [email protected] which is dependent on by pact-foundation/pact CVE check denying [email protected] which is dependent on by pact-foundation/pact May 20, 2024
@mefellows
Copy link
Member

Ramda just needed an update. Strange snyk/dependabot didn't pick this up yet.

In any case, it will be fixed in the next release.

@julielaursen
Copy link
Author

@mefellows my team is blocked completely by this, do you have an ETA on when that next release might be?

@mefellows
Copy link
Member

You should really build your CI systems to be resilient to such things. This is a development dependency, what's the actual risk? It's just security theatre.

There are ways to replace packages that are vulnerable using yarn, I'd suggest you do that for now as a workaround until the next release is out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Indicates an unexpected problem or unintended behavior triage This issue is yet to be triaged by a maintainer
Projects
None yet
Development

No branches or pull requests

2 participants