Closed avindra closed 6 years ago
avindra
commented
6 years ago @jfuchs @nicks
A critical security fix has just been released for extract-zip:
https://github.com/maxogden/extract-zip/compare/v1.6.5...v1.6.6
If you accept this PR, then people installing phantomJS will automatically get the fix as a dependency.
:pray: Please do this so that the people still actually using this project aren't bitten for it.
avindra
commented
6 years ago I just pushed a commit to make sure package.json is bumped up in the PATCH section of the semver tag.
All we would need after merging is a publish to npm :pray:
jfuchs
commented
6 years ago should be published now!
JBlackCat
commented
6 years ago @jfuchs See https://github.com/Medium/phantomjs/issues/753
Most immediately, this will fix https://github.com/Medium/phantomjs/issues/745
and will obviate the need for constant fixes like
https://github.com/Medium/phantomjs/pull/742 https://github.com/Medium/phantomjs/pull/679 https://github.com/Medium/phantomjs/pull/732 https://github.com/Medium/phantomjs/pull/698 https://github.com/Medium/phantomjs/pull/653
Particularly, this will be helpful from a maintenance perspective, as these dependencies will likely have multiple security patches in the future.
This change will also allow
npm/yarnto better dedupe dependencies.