search

IanVS / prettier-plugin-sort-imports

An opinionated but flexible prettier plugin to sort import statements
Apache License 2.0
984 stars 25 forks source link

chore(deps): bump @babel/traverse to avoid audit warning #137

Closed pauliesnug closed 11 months ago

pauliesnug commented 11 months ago

more info: https://github.com/advisories/GHSA-67hx-6x53-jw92

IanVS commented 11 months ago

Thanks for the PR

IanVS commented 11 months ago

Note that if you are getting this warning, you can uninstall and reinstall this plugin, or clear and recreate your lock file. Since the version range we depend on includes the good version

echeequorum commented 7 months ago

does this change need to be published in a new version of the package? uninstalling and reinstalling still appears to pull back a package.json with the previous version identified.

IanVS commented 7 months ago

uninstalling and reinstalling still appears to pull back a package.json with the previous version identified.

Can you explain what you mean? You should do something like npm list @babel/traverse to see what versions are installed in your project, and where they are coming from.

echeequorum commented 7 months ago

thanks for a speedy reply, so installing this as a fresh dependency, so uninstalling it, having it removed from the lockfile then reinstalling it still generates this in the lockfile:

    "node_modules/@ianvs/prettier-plugin-sort-imports": {
      "version": "4.1.1",
      "resolved": "https://registry.npmjs.org/@ianvs/prettier-plugin-sort-imports/-/prettier-plugin-sort-imports-4.1.1.tgz",
      "integrity": "sha512-kJhXq63ngpTQ2dxgf5GasbPJWsJA3LgoOdd7WGhpUSzLgLgI4IsIzYkbJf9kmpOHe7Vdm/o3PcRA3jmizXUuAQ==",
      "dev": true,
      "dependencies": {
        "@babel/core": "^7.21.8",
        "@babel/generator": "^7.21.5",
        "@babel/parser": "^7.21.8",
        "@babel/traverse": "^7.21.5",
        "@babel/types": "^7.21.5",
        "semver": "^7.5.2"
      },
      "peerDependencies": {
        "@vue/compiler-sfc": ">=3.0.0",
        "prettier": "2 || 3"
      },
      "peerDependenciesMeta": {
        "@vue/compiler-sfc": {
          "optional": true
        }
      }
    },

the @babel/traverse is still "^7.21.5" and I was wondering if that is the case because even though you have updated the package.json file in the repo here, it's not been published in a 4.1.2 version as a patch.

IanVS commented 7 months ago

@babel/traverse is still "^7.21.5"

This is a semver range, which means that the highest version of 7.x.x available will be installed, which is why I said you should check what's actually being installed.

I plan on publishing a new version of this package soon, but in the meantime, you should not be getting a problematic version of the dependency. Are you still getting audit warnings?