randycoulman
commented
5 years ago eslint-find-rules is a dev-only dependency for this project, so not a huge issue for us, and certainly not an issue for our users. Thanks for bringing it up!
Closed sturdynut closed 5 years ago
randycoulman
commented
5 years ago eslint-find-rules is a dev-only dependency for this project, so not a huge issue for us, and certainly not an issue for our users. Thanks for bringing it up!
This is to bring the
memsecurity warning to attention. After following the yarn.lock it appears that thismemdependency is coming from the version ofyargsthateslint-find-rulesis using.Here's the chain of dependencies that lead to the insecure package.
eslint-find-rules → yargs (v8.0.1) yargs (v8.0.1) → os-locale (v2.0.0) os-locale (v2.0.0) → mem (v^1.1.0")
I've submitted a PR to upgrade their version of
yargsto the latest which should removememas a dependency entirely.We should be able to upgrade our version of
eslint-find-rulesonce this is merged and a new version is released.