Our Software Composition Analysis tools has reported outdated libraries used in this extension, including critical vulnerabilities such as:
CVE-2021-44906 in minimist.
The vulnerability was partially addressed in minimist 1.2.5 and based on our analysis there is no easy way to exploit it in this extension. The problem is that each such reported vulnerability requires considerable manual effort in order to determine that the extension is safe to use.
Currently in package.json all dependencies are referenced with a specific version, not allowing any major, minor or patch updates.
I propose to update package.json so that the most recent compatible version of the dependency is used rather than a specific version.
See also: https://docs.npmjs.com/about-semantic-versioning
I noticed that there are many pull requests open, created automatically by dependabot which are related to updating dependencies. I'm not sure how using this approach compares to adjusting package.json to allow dependency updates using semantic versioning.
Can you explain why these pull requests are still open and whether there is a plan to publish a new version with updated dependencies?
Update of dependencies is needed as it will reduce effort needed to investigate vulnerabilities reported by automated scanning tools.
According to our Software Composition Analysis tool, to mitigate the high vulnerabilities the following packages should be updated:
Our Software Composition Analysis tools has reported outdated libraries used in this extension, including critical vulnerabilities such as: CVE-2021-44906 in minimist.
The vulnerability was partially addressed in minimist 1.2.5 and based on our analysis there is no easy way to exploit it in this extension. The problem is that each such reported vulnerability requires considerable manual effort in order to determine that the extension is safe to use.
Currently in package.json all dependencies are referenced with a specific version, not allowing any major, minor or patch updates. I propose to update package.json so that the most recent compatible version of the dependency is used rather than a specific version. See also: https://docs.npmjs.com/about-semantic-versioning
I noticed that there are many pull requests open, created automatically by dependabot which are related to updating dependencies. I'm not sure how using this approach compares to adjusting package.json to allow dependency updates using semantic versioning. Can you explain why these pull requests are still open and whether there is a plan to publish a new version with updated dependencies?
Update of dependencies is needed as it will reduce effort needed to investigate vulnerabilities reported by automated scanning tools.
According to our Software Composition Analysis tool, to mitigate the high vulnerabilities the following packages should be updated: