Fork the repo and fix it yourself, ideally basing the change off the fix on the new major version if possible.
Yes, you now don't get vuln. notifications for the original repo, which is an issue in itself. It would be nice to mark a CVE as mitigated in your package.json and to also mark a resolution to still pick up CVEs from the original package. E.g
{
"dependencies": {
badRepo: "1.0.0" // has a dependency that is vulnerable
},
"resolutions": {
"badRepo/**/dependency": "git://github.com/org/dependency" // fixed, but now won't report new cves from the original badRepo/**/dependency package. Would be good to specify that we still want reports for the original repo
}
That is how we handle such issues in our team, we also review any forks at the start of every sprint to see if it has been resolved and we can remove the fork dependency.
If the vuln is valid and exploitable in your system, what other choice do you have? It's the pitfalls on depending on 3rd party packages. If you are using an old major version that now has a vuln that is only fixed in a newer version, NPM doesn't make that situation worse.
Caveat: These are my 5 minutes thoughts, I could probably do a better, more thorough write up.
This is pretty accurate and refreshing to see. Contray to everyone elses salaries, UK (excl. London) seems very low.
I am just below the £45k mark with 3 years at my current company and 12ish years overall. So should be bang on your numbers when it comes to 5-10 years at this company.
Don't get disheartened when you read these big salaries online. The average reader isn't bothering to post theirs.
The UK is actually pretty good when it comes to IT salaries. Go to France, for example, and they're much lower. The attitude to devs is quite poor in a lot of places, treating us like we're one rung above car mechanics. We also have a good contract market in the UK; in many other EU countries (even Australia) contractors make peanuts in comparison.
Outsourcing and the low barrier-to-entry have all dampened IT salaries. Immigration has also played a part in the UK over the last 15 years; a lot of devs from Eastern Europe have gone where the money is - i.e. here. I know it's a contentious issue here but I say that with no malice. I'd do it too if I was them, and a lot of them are talented devs, but there's no point pretending it hasn't had an impact.
IME salaries have risen fairly significantly in London over the past 7 years or so, up until about 2 years ago.
I don't think dev immigration has hurt that much if at all. There's a virtuous circle: the more devs there are, the more startups are created and the more FAANGs set up shop. Devs get more experienced on bigger and harder problems, which makes them more valuable.
There's a huge amount of developer immigration to SV, and yet that's where the highest salaries are. Would they really be even higher if FB, Google, Apple etc. couldn't find enough devs to hire, or would those companies have set up shop in other areas and countries instead, to accommodate their needs? Or would those companies have been growth constrained on availability of talent instead?
niwork, i can't reply directly so will reply here.
I am based in the East Midlands, I have been offered up to 50k from other companies in the East Midlands but have either rejected (commute) or withdrawn due to slow references.
I feel like salaries are creeping upwards here but only for in fashion stacks. I am part of a larger organisation here and have the influence I'd like in the team so chasing salary isn't a demand for me anymore, however it does get disheartening at times!
