-
-
Notifications
You must be signed in to change notification settings - Fork 7.4k
Description
I don't want to be a buzzkill or step on someone's toes. Still, with that change, you are potentially pushing a dependency with nine GitHub stars and two maintainers into millions of micro-services. I'd reconsider...
Originally posted by @Thommy257 in #21486 (comment)
Hi all,
In your latest release, v7.15.0, you included a package called lazy-imports required to run the generated API client code (see #21486). Due to a lack of maintenance and public verification, this package poses a significant security risk. I suggest undoing this change or internalising it into openapi-generator.
Also, this PR probably broke many CI/CD pipelines. And for those that didn't break, many microservices got silently injected with a package not verified by a large open source community.