sesam
commented
3 years ago I updated this PR with adding all currently open dependabot PRs so it can all be tested together, making it less work at least from my point of view.
Closed sesam closed 3 years ago
sesam
commented
3 years ago I updated this PR with adding all currently open dependabot PRs so it can all be tested together, making it less work at least from my point of view.
chimurai
commented
3 years ago We've discovered a vulnerable package is used by this package, and as this is a production issue, we want to get it patched and are able to help making that happen.
Could you share those details? Which production dependency are you referring to?
AFAIK the dependabot PRs is only updating devDependencies.
Those dev dependencies and (dependencies in lock files) won't be installed if you consume http-proxy-middleware normally.
chimurai
commented
3 years ago fixed in #671
thanks for reminder to update dev dependencies
sesam
commented
3 years ago Thanks for solving this issue! Will share details once we get all-clear from automated security scans. (I also notice this PR registered under Hacktoberfest, but as this PR is closed I'll try and just delete this branch, and see if that clears it away from my profile.)
Description
I ran
yarn upgrade-interactiveand since all the packages listed as possible to upgrade were either patch- or minor upgrades, they should be safe. This PR does all those upgrades, as it seems dependabot did not get around to handling all of them.Motivation and Context
We've discovered a vulnerable package is used by this package, and as this is a production issue, we want to get it patched and are able to help making that happen.
How has this been tested?
Looking for any already implemented test code now. Will also test this in our product that depends on this.
Types of changes
Checklist: