Node security

[richardschneider]

The CI build is reporting 12 vulnerabilities found. They are all Sandbox Breakout and come from protons@1.0.0 > brfs@1.4.3 > static-module@1.5.0 > static-eval@0.2.4.

The recommendation is to upgrade static-module to v2.0.0 or later

dependency updates, most notably static-eval to v2.0.0 which fixes a security vulnerability.

[richardschneider]

There's a PR to upgrade bfrs to the latest version of static-module. It's build is failing!

[richardschneider]

Once brfs is upgraded, then protons should be upgraded. All dependents (bitswap, unixfs, ...) should be upgraded. Or make the new protons version just a patch (1.0.1) and dependents will just get it.

[richardschneider]

It appears that ipfs/protons#3 will remove bfrs from protons and then all the security notifications will be resolved.

@dignifiedquire @thisconnect can we get some progress on the PR?

[daviddias]

Seems that everything is ready, @dignifiedquire just needs to merge and release :)

[daviddias]

Back to green

@richardschneider thanks for pushing on this one :)