resolve CVE-2021-23440 by upgrading set-value to ^4.0.1
resolve CVE-2021-3803 by using CumulusDS/flow-coverage-report
Details
Fixing in upstream dependencies is complicated because of changing semantics in set-value when setting the undefined value on objects.
See jonschlinkert/cache-base#22 (comment)
It is safe enough for us to override the set-value package version using package.json resolutions.
Testing
The set-value dependency only used in the dev infrastructure, not production code. A green build should give us enough confidence to accept this change.
Summary
resolve CVE-2021-23440 by upgrading set-value to ^4.0.1 resolve CVE-2021-3803 by using CumulusDS/flow-coverage-report
Details
Fixing in upstream dependencies is complicated because of changing semantics in set-value when setting the undefined value on objects. See jonschlinkert/cache-base#22 (comment)
It is safe enough for us to override the set-value package version using package.json resolutions.
Testing
The set-value dependency only used in the dev infrastructure, not production code. A green build should give us enough confidence to accept this change.