EasyPost / easypost-node

EasyPost Shipping API Client Library for Node

https://easypost.com/docs/api

MIT License

139 stars 54 forks source link

chore: bump dependencies to fix vulnerability #416

Closed Justintime50 closed 1 year ago

Justintime50 commented 1 year ago

Description

Fixes https://github.com/EasyPost/easypost-node/security/dependabot/52

Testing

Pull Request Type

Please select the option(s) that are relevant to this PR.

[ ] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] Improvement (fixing a typo, updating readme, renaming a variable name, etc)

nwithan8 commented 1 year ago

No changes committed to packages.json, just the lock file?

Justintime50 commented 1 year ago

No changes committed to packages.json, just the lock file?

Correct, the dependency with a vulnerability is a dep of a dep. We can't manipulate anything in package.json to fix that. A quick npm update bumps everything to the most recent versions that respect our pinned ranges, simultaneously bumping the vulnerable dep to what is required to use the fix.