5 low vulnerabilities caused by optional dependency gc-stats #579
Comments
|
Thanks. gc-stats can not be removed. It collects the Garbage Collection stats. You can however decide not to add it in your project. Maybe we fix the issue upstream at gc-stats? |
|
Did you look into fixing things upstream? |
|
Wouldn't hold my breath on this getting fixed in upstream as dainis hasn't been active for over six months now :(. There is a fork of gcstats with up-to-date dependencies, not sure if it also fixes the issue that causes gc-stats build to fail on node14 |
|
Thanks for sharing. Would be a breaking change to this library. As an alternative we could also maintain a fork as a package here. Then we have more control. 🤔 |
|
@tdeekens When I look at the difference between the abandoned gc-stats repository and the fork, the only differences I see look like dependency updates and build improvements. Are you sure that moving to the maintained fork would be a breaking change? For convenience, here's the comparison between the two: dainis/node-gcstats@master...adnanrahic:master |
|
Thanks. Let me explain why I think it would be:
With that change anybody using promster would have to update/add a As such it would be a breaking change. I don't strictly mind if we think it's a good decision though. |
|
This is raised in my audit CI checks for a project I'm working on. While I can see based on this thread that it's unlikely to cause a genuine security issue, it does normalise a failing audit check and make it harder for me to spot genuine issues. |
|
@tdeekens Is there nothing that can be done about this? As @mdsummers points out, this affects all NodeJS applications which want to expose Prometheus metrics using this package. We're all stuck with broken audits because of an abandoned project (gc-stats) which doesn't actually install anymore anyway. I understand the concern about a breaking change. But can we just remove gc-stats, publish a major version bump of this module, and call it a day? |
|
Sure. We can move away from gc-stats to nodegc-stats in the hope of it being better maintained. It seems to also have received the last commit 12 months ago. Can you open a PR to kick things off? Thanks. |
|
@Ghazgkull any progress on this on your end? 🤔 |
|
I am evaluating Promster, and running into this issue. It is hard to justify using Promster if the project gc-stats spits out a bunch of vulnerabilities that are unfixed for months. In the gc-stats repository people are resorting to forking it and updating its dependencies. I like promster but it's not easy to adopt in the current state. |
|
I can totally agree with that! Have you considered opening a PR to promster to propose a change to move away from gc-stats? |
|
I see two possible paths:
And maybe a 3rd, since I am not a NodeJS expert and I am using this for a commercial project whereby I have to justify my time spent. I am thinking option (2) might be more time than I can justify so it would have to be a labor of love and contend with all my other priorities. Maybe one other option:
Definitely not ideal either, but I also do not think its fair to discontinue using Promster just because gc-stats library (whose stats we do not use in our project at least) eliminates the usability of the whole project - - and so far it looks like the best of the NodeJs exporters. |
|
@tdeekens I am re-reading this thread and you say Right now gc-stats is an optional dependency This seems to be my mentioned point (3).. How do I get a version of Promster that does not include gc-stats in the dependencies so that "npm audit" will pass? From your comment it already seems possible. |
|
@jdevalk2 |
|
Thanks for sharing your thoughts. We already follow option 3 as you noted yourself. I'd avoid forking gc-stats into this project (option 1.). This would be my last resort. Before I'd try to use the already forked and hopefully maintained version. I am not fully sure but wouldn't expect to many integration pains. Regarding your comment:
I'd also like to point out that this project is "labor of love and contend" by myself as Open Source is in general. I don't get time from any employer nor paid by anybody to work on the project. |
|
Please refer to #703 as a suggested change. |
|
@tdeekens Thank you for addressing this. You mention a comment above that you're already providing this option:
Can you please provide info on where to find the version of promster which doesn't include |
|
This issue talks about "5 low vulnerabilities", but the current situation is actually "10 high vulnerabilities". I've opened a new issue to take the conversation forward from here: #713 |
Describe the bug
get below vulnerabilities reports, caused by gc-stats, and I find that gc-stats is optional dependency.
https://github.com/tdeekens/promster/blob/main/packages/metrics/package.json#L53-L55
To Reproduce
Steps to reproduce the behavior:
npm audit --registry=https://registry.npmjs.org
Expected behavior
Is it possible to remove gc-stats?
Screenshots
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: