Closed BHANU2705 closed 2 years ago
Upgrading to the latest prebuild-install
(7.0.1 as of today) will pull in the version of simple-get
containing the fix for CVE-2022-0355.
Also, shouldn't prebuild-install
be a dev dep?
All those dependencies have been upgraded. I'll test this tomorrow with GitHub Desktop and make a release if everything goes well. Sorry for the delay! /cc @joaomoreno
Also, shouldn't
prebuild-install
be a dev dep?
@sergiou87 thoughts on this? Only being used to install prior to building
@aruniverse check this https://github.com/atom/node-keytar/pull/443#issuecomment-1026812194
I actually did that initially, but it needs to be a runtime dep so it pulls all prebuilt binaries when node-keytar
is added as a dependency by other projects 😅
I actually did that initially, but it needs to be a runtime dep so it pulls all prebuilt binaries when
node-keytar
is added as a dependency by other projects 😅
Ah sorry, didnt look at the thread, just the diff. Should it then be a peer dep? @sergiou87
All those dependencies have been upgraded. I'll test this tomorrow with GitHub Desktop and make a release if everything goes well. Sorry for the delay! /cc @joaomoreno
Fantastic, thanks! I'll update the dependencies to keytar upstream, once you release a new version.
Prerequisites
Description
The dependencies (node-addon-api & prebuild-install) have got their major version upgrades. The current version are as follows:
These two dependencies bring many transitive dependencies which have security vulnerabilities and Whiesource keeps reporting them and the consumers are unable to fix it properly.
Hence, requesting you to upgrade the keytar's dependencies' major version and release a new version of keytar - so that many of the security vulnerabilities get fixed.