Dependabot Vulnerability Alerts for Internal Dependencies
I have created a project using Wasp, based on a simplified version of the OpenSaaS template. I am receiving several Dependabot Vulnerability alerts in the GitHub repository related to the following internal dependencies of Wasp:
- ws
- express
- follow-redirects
- axios
- undici
I am currently using Wasp version 0.13.2. Is there a way to update these packages? Alternatively, is there a newer version of Wasp available that addresses these vulnerabilities?
Link to my GH repo: https://github.com/airtai/fastagency-wasp-app-template/security/dependabot
Thank you for your assistance.
14 Replies
Hi @Harish. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Based on the provided knowledge sources, there isn't a direct way to update the internal dependencies of Wasp. Wasp dictates the exact versions of certain packages, and you are not allowed to define the same npm dependency yourself while specifying a different version. If you do that, you will get an error message telling you which exact version you have to use for that dependency source (https://wasp-lang.dev/docs/project/dependencies).
However, the Wasp team is actively working on updates and new versions. For example, a new version of Wasp that allows any Node version >= 18 is expected to be released soon source (https://github.com/wasp-lang/wasp/issues/1684).
To update your Wasp CLI, you can run the installer again with
curl -sSL <https://get.wasp-lang.dev/installer.sh> | sh. If you already have Wasp installed, it will tell you to run it a bit differently to overwrite those files source (https://github.com/wasp-lang/wasp/issues/616).
Unfortunately, the provided knowledge sources do not include information about a newer version of Wasp that addresses the vulnerabilities you mentioned. I recommend checking the Wasp GitHub repository (https://github.com/wasp-lang/wasp) for the latest updates and releases. If you have further questions or need assistance, consider opening an issue in the Wasp GitHub repository or joining the Wasp Discord community.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @Harish, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?Link to my GH repo: https://github.com/airtai/fastagency-wasp-app-template/security/dependabotI get a 404 when I try to access the repository.
Is there a way to update these packages?Are the alert for the
app or blog? if they are for blog you can update the Astro deps freely. If they are for app, which ones are for the app?
cc: @Vinny (@Wasp)I believe most of them are coming from Astro, actually
but maybe not in this case
as i see they're not using the Astro blog, @miho https://github.com/airtai/fastagency-wasp-app-template
GitHub
GitHub - airtai/fastagency-wasp-app-template: This is the SaaS temp...
This is the SaaS template FastAgency uses to generate client applications. - airtai/fastagency-wasp-app-template
Yup, we are not using the
blog.
The below are the packages that needs an upgrade:
We'll release Wasp 0.14.0 sometimes this month, so we can upgrade those as needed 👍
Thanks
Wohooo @Harish, you just became a Waspeteer level 3!
I have also got an security alert for
@grpc/grpc-js package which is used by "@google-analytics/data": "4.1.0".
So "@google-analytics/data": "4.1.0" also needs an upgrade.
https://github.com/wasp-lang/open-saas/blob/main/template/app/package.json#L7GitHub
open-saas/template/app/package.json at main · wasp-lang/open-saas
A free, open-source SaaS app starter for React & Node.js with superpowers. Production-ready. Community-driven. - wasp-lang/open-saas
If the dep is in the
package.json you can update it yourself 😄 only the deps that Wasp controls are out of your reach.
cc: @Vinny (@Wasp) does this mean we need to update the version in the template?we will be updating the template to Wasp v0.14 in a couple weeks
Yup, I could have updated the
package.json directly but was not sure if the latest version of @google-analytics/data is supported by wasp.
I could see a few packages including @google-analytics/data for which the versions are fixed in the package.json file in the open-saas-template.
Anyways, I will wait for the next release 🙂As Miho said, you are free to update any of the dependencies in the package.json file. So if there is a vulnerability in the google analytics package, you would want to try and update it.
Because you've made significant changes to the template, you will have to manage those dependencies yourself. Only the dependencies internal to Wasp would change (e.g. Prisma, React-query) when updating Wasp versions, and Google Analytics is not one of them.
Sure, Thanks