Vulnerable version (0.4.4) of grunt is used

Yaffle / EventSource

a polyfill for http://www.w3.org/TR/eventsource/

MIT License

2.11k stars 338 forks source link

Vulnerable version (0.4.4) of grunt is used #172

Closed bkum closed 2 years ago

bkum commented 3 years ago

Refer https://nvd.nist.gov/vuln/detail/CVE-2020-7729 Requires version >=1.3.0

Yaffle commented 3 years ago

hm.... what can we do to avoid such issues?

bkum commented 3 years ago

In-order to use this library, our organization security compliance requires this library dependencies to be upgraded to latest version. Could you please upgrade this library dependency to latest version.

Yaffle commented 3 years ago

@bkum , it is a problem, I don't know how to update the grunt, the new version does not support old options and I cannot find how to tell it to keep the license comment in minified file

entropylost commented 3 years ago

Wouldn't you be able to just update the grunt minor version?

Yaffle commented 3 years ago

I have updated grunt version, please check.