When I install npm install -g @dataform/cli@latest, I have an error saying:
npm WARN deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.
When installing the Dataform CLI, you may encounter a warning about a deprecated version of the vm2 library due to known critical security vulnerabilities. Here’s an overview of the issue and how to effectively address it:
Understanding the Warning
Dependency Concern: The Dataform CLI uses vm2 as a dependency. The specific version in question, 3.9.19, has been flagged for critical security vulnerabilities that could potentially expose your environment to security threats.
Risk: Utilizing the Dataform CLI with this vulnerable version of vm2 increases the risk of security breaches in your Google Cloud environment.
Resolution Strategies
Check for and Apply Updates:
Immediate Action: Verify if there’s an updated version of the Dataform CLI that addresses the vm2 dependency issue, either by removing it, updating it, or replacing it with a safer alternative.
How to Update: If an updated version is available, upgrade to it using the command: npm install -g @dataform/cli@latest
Documentation Consultation: Review the Dataform CLI documentation or release notes for information on security updates or dependency changes.
Temporary Mitigation Strategies
If no immediate update is available, acknowledge the risks and use any suggested workarounds sparingly while waiting for the official fix.
Consider exploring alternative tools that fulfill your requirements without the associated security vulnerabilities if the issue persists without a resolution.