fix: vulnerable dependency (extract-zip)

Medium / phantomjs

NPM wrapper for installing phantomjs

Other

1.42k stars 436 forks source link

fix: vulnerable dependency (extract-zip) #751

Closed Ilshidur closed 6 years ago

Ilshidur commented 6 years ago

The extract-zip@1.6.5 package is vulnerable to a ReDoS attack.

Updated to version 1.6.6, where the maintainers fixed it a few hours ago this PR.

This PR can solve failing tests because of some tools (like Snyk). I made it just in case https://github.com/Medium/phantomjs/pull/746#issuecomment-340663022 won't be merged immediately.

avindra commented 6 years ago

@Ilshidur I would strongly prefer that we merge this instead

https://github.com/Medium/phantomjs/pull/746

As it would result in far fewer instances of having to manually bump dependencies and communicate with Medium, who have already expressed a disinterest in maintaining this project.

Ilshidur commented 6 years ago

Abandoning this PR. As this repo is going to be archived, I'm not willing to keep a fork of it in my repositories. Sorry to see this project is going down.