-
-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
5 low vulnerabilities caused by optional dependency gc-stats #579
Comments
Thanks. gc-stats can not be removed. It collects the Garbage Collection stats. You can however decide not to add it in your project. Maybe we fix the issue upstream at gc-stats? |
Did you look into fixing things upstream? |
Wouldn't hold my breath on this getting fixed in upstream as dainis hasn't been active for over six months now :(. There is a fork of gcstats with up-to-date dependencies, not sure if it also fixes the issue that causes gc-stats build to fail on node14 |
Thanks for sharing. Would be a breaking change to this library. As an alternative we could also maintain a fork as a package here. Then we have more control. 🤔 |
@tdeekens When I look at the difference between the abandoned gc-stats repository and the fork, the only differences I see look like dependency updates and build improvements. Are you sure that moving to the maintained fork would be a breaking change? For convenience, here's the comparison between the two: dainis/node-gcstats@master...adnanrahic:master |
Thanks. Let me explain why I think it would be:
With that change anybody using promster would have to update/add a As such it would be a breaking change. I don't strictly mind if we think it's a good decision though. |
This is raised in my audit CI checks for a project I'm working on. While I can see based on this thread that it's unlikely to cause a genuine security issue, it does normalise a failing audit check and make it harder for me to spot genuine issues. |
@tdeekens Is there nothing that can be done about this? As @mdsummers points out, this affects all NodeJS applications which want to expose Prometheus metrics using this package. We're all stuck with broken audits because of an abandoned project (gc-stats) which doesn't actually install anymore anyway. I understand the concern about a breaking change. But can we just remove gc-stats, publish a major version bump of this module, and call it a day? |
Sure. We can move away from gc-stats to nodegc-stats in the hope of it being better maintained. It seems to also have received the last commit 12 months ago. Can you open a PR to kick things off? Thanks. |
@Ghazgkull any progress on this on your end? 🤔 |
I am evaluating Promster, and running into this issue. It is hard to justify using Promster if the project gc-stats spits out a bunch of vulnerabilities that are unfixed for months. In the gc-stats repository people are resorting to forking it and updating its dependencies. I like promster but it's not easy to adopt in the current state. |
I can totally agree with that! Have you considered opening a PR to promster to propose a change to move away from gc-stats? |
I see two possible paths:
And maybe a 3rd, since I am not a NodeJS expert and I am using this for a commercial project whereby I have to justify my time spent. I am thinking option (2) might be more time than I can justify so it would have to be a labor of love and contend with all my other priorities. Maybe one other option:
Definitely not ideal either, but I also do not think its fair to discontinue using Promster just because gc-stats library (whose stats we do not use in our project at least) eliminates the usability of the whole project - - and so far it looks like the best of the NodeJs exporters. |
@tdeekens I am re-reading this thread and you say Right now gc-stats is an optional dependency This seems to be my mentioned point (3).. How do I get a version of Promster that does not include gc-stats in the dependencies so that "npm audit" will pass? From your comment it already seems possible. |
@jdevalk2 |
Thanks for sharing your thoughts. We already follow option 3 as you noted yourself. I'd avoid forking gc-stats into this project (option 1.). This would be my last resort. Before I'd try to use the already forked and hopefully maintained version. I am not fully sure but wouldn't expect to many integration pains. Regarding your comment:
I'd also like to point out that this project is "labor of love and contend" by myself as Open Source is in general. I don't get time from any employer nor paid by anybody to work on the project. |
Please refer to #703 as a suggested change. |
@tdeekens Thank you for addressing this. You mention a comment above that you're already providing this option:
Can you please provide info on where to find the version of promster which doesn't include |
This issue talks about "5 low vulnerabilities", but the current situation is actually "10 high vulnerabilities". I've opened a new issue to take the conversation forward from here: #713 |
Describe the bug
get below vulnerabilities reports, caused by gc-stats, and I find that gc-stats is optional dependency.
https://github.com/tdeekens/promster/blob/main/packages/metrics/package.json#L53-L55
To Reproduce
Steps to reproduce the behavior:
npm audit --registry=https://registry.npmjs.org
Expected behavior
Is it possible to remove gc-stats?
Screenshots
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: