cve when using flagsmith-nodejs 6.2.0

[kaijie0102]

Hey there!

I would like to request that the team update the dependency "pino" to address a cve

I have flagsmith-nodejs 6.2.0 as a dependency in my project and it's flagging that flagsmith --> pino 9.11.0 --> fast-redact which contains a vulnerability (GHSA-ffrw-9mx8-89p8). However, latest version of pino don't seem to be using fast-redact: http://github.com/pinojs/pino/pull/2298, hence please update pino to resolve this vulnerability.

Thanks!
Kai

[matthewelwell]

Hi @kaijie0102, thanks for raising this. There is a PR here to resolve it, and will be resolved in the next major version of the client since it requires dropping support for older versions of node.

I'm not 100% familiar with NPM's dependency resolution, but I would highlight that in 6.2.0, flagsmith depends on pino ^8.8.0 (see here), so your description of flagsmith --> pino 9.11.0 is a little confusing since that already breaks flagsmith's dependency specification. It does suggest to me, however, that you might be able to get around it yourself until we release the new major version by specifying e.g. pino ^10 in your own dependencies, since it seems that NPM will still resolve it (and the only breaking changes in the pino module are dropping support for node<=18).