search

TypeStrong / fork-ts-checker-webpack-plugin

Webpack plugin that runs typescript type checker on a separate process.
MIT License
1.96k stars 239 forks source link

chore(package): update cosmiconfig #818

Closed mkhraisha closed 1 year ago

mkhraisha commented 1 year ago

Similar to #815 except it updates yarn.lock.

cosmiconfig dropped dependency on the yarn npm package which has CVEs

mkhraisha commented 1 year ago

@piotr-oles

LucianBuzzo commented 1 year ago

This also fixes an issue related to the vulnerable v1 version of the yaml package - https://github.com/advisories/GHSA-f9xv-q969-pqx4 Unfortunately v8.0.0 of cosmiconfig dropped support for v12 of node, which is still supported by fork-ts-checker-webpack-plugin - see https://github.com/cosmiconfig/cosmiconfig/blob/main/CHANGELOG.md#800 This is a little bit of a headache, because you end up with CVE warnings for any installation of NestJS, since the @nestjs/cli package has a transitive dependency on cosmiconfig (via this package) and the older version of cosmiconfig has a dependency on the vulnerable yaml version! I'm not sure on the best way to proceed, my personal preference would be for the maintainers to cut a new major version and drop support for node v12, since security support for v12 ended over 1 year ago.

github-actions[bot] commented 1 year ago

:tada: This PR is included in version 9.0.2 :tada:

The release is available on:

Your semantic-release bot :package::rocket: