Open dropbeardan opened 2 years ago
Dependabot has picked up a dependency on an old version of yargs from migrate-mongoose^4.0.0.
yargs
migrate-mongoose^4.0.0
There is a moderately-severe security vulnerability notice on yargs-parser@2.4.1:
yargs-parser@2.4.1
The latest possible version that can be installed is 2.4.1 because of the following conflicting dependencies. The earliest fixed version is 5.0.1.
I'm not exactly sure why the old version is still being resolved by NPM/Yarn but would it be possible to bump that up?
"migrate-mongoose": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/migrate-mongoose/-/migrate-mongoose-4.0.0.tgz", "integrity": "sha512-Zf4Jk+CvBZUrZx4q/vvYr2pRGYAo7RO4BJx/3aTAR9VhNa34/iV0Rhqj87Tflk0n14SgwZpqvixyJzEpmSAikg==", "requires": { "bluebird": "^3.3.3", "colors": "^1.1.2", "dotenv": "^8.0.0", "inquirer": "^0.12.0", "mkdirp": "^0.5.1", "mongoose": "^5.6.3", "yargs": "^4.8.1" } },
"yargs": { "version": "4.8.1", "resolved": "https://registry.npmjs.org/yargs/-/yargs-4.8.1.tgz", "integrity": "sha1-wMQpJMpKqmsObaFznfshZDn53cA=", "requires": { "cliui": "^3.2.0", "decamelize": "^1.1.1", "get-caller-file": "^1.0.1", "lodash.assign": "^4.0.3", "os-locale": "^1.4.0", "read-pkg-up": "^1.0.1", "require-directory": "^2.1.1", "require-main-filename": "^1.0.1", "set-blocking": "^2.0.0", "string-width": "^1.0.1", "which-module": "^1.0.0", "window-size": "^0.2.0", "y18n": "^3.2.1", "yargs-parser": "^2.4.1" } },
"yargs-parser": { "version": "2.4.1", "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz", "integrity": "sha1-hVaN488VD/SfpRgl8DqMiA3cxcQ=", "requires": { "camelcase": "^3.0.0", "lodash.assign": "^4.0.6" } }
Dependabot has picked up a dependency on an old version of
yargs
frommigrate-mongoose^4.0.0
.There is a moderately-severe security vulnerability notice on
yargs-parser@2.4.1
:I'm not exactly sure why the old version is still being resolved by NPM/Yarn but would it be possible to bump that up?