Describe the bug:
Current versions of the NPM package fail audits and cause scanner findings do the use of a backlevel @grpc/grpc-js version. I believe I saw somewhere that there's reasoning for the backlevel version usage, but naturally I can't dig it up now. Regardless, this should probably be tracked as an issue until rectified for general users.
$ npm audit
# npm audit report
@grpc/grpc-js <1.8.22
Severity: moderate
@grpc/grpc-js can allocate memory for incoming messages well above configured limits - https://github.com/advisories/GHSA-7v5v-9h63-cj86
fix available via `npm audit fix --force`
Will install @zilliz/[email protected], which is a breaking change
node_modules/@grpc/grpc-js
@zilliz/milvus2-sdk-node 2.2.21 - 2.3.5 || >=2.5.11
Depends on vulnerable versions of @grpc/grpc-js
node_modules/@zilliz/milvus2-sdk-node
2 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
macbookpro:c3-isms-portal khunt$ npm list @grpc/grpc-js
[email protected] /Users/khunt/ibmcloud/c3-isms-portal
└─┬ @zilliz/[email protected]
└── @grpc/[email protected]
Steps to reproduce:
- Install @zilliz/milvus2-sdk-node (@2.6.2 at the time of this issue creation)
- Run npm audit
Milvus-node-sdk version:
2.6.2
Milvus version:
N/A
Describe the bug:
Current versions of the NPM package fail audits and cause scanner findings do the use of a backlevel @grpc/grpc-js version. I believe I saw somewhere that there's reasoning for the backlevel version usage, but naturally I can't dig it up now. Regardless, this should probably be tracked as an issue until rectified for general users.
Steps to reproduce:
Milvus-node-sdk version:
2.6.2
Milvus version:
N/A