crissdev
commented
6 years ago Let's wait for @nfroidure a bit - I've sent him a message on Twitter. Thanks.
Closed ehmicky closed 6 years ago
crissdev
commented
6 years ago Let's wait for @nfroidure a bit - I've sent him a message on Twitter. Thanks.
crissdev
commented
6 years ago bufferstreams was updated to 2.1.0.
crissdev
commented
6 years ago @ehmicky I intend to exclude package-lock.json and yarn.lock from future commits - they're now ignored (.gitignore).
ehmicky
commented
6 years ago Great! That should fix it.
I think it is recommended for package-lock.json to be committed to Git. npm documentation says This file is intended to be committed into source repositories. But it's not very important, should work either way :smile:
ehmicky
commented
6 years ago Should the npm version be bumped to 2.0.2?
crissdev
commented
6 years ago It's not necessary.
"bufferstreams": "^2.0.0" notice the ^
On Mon, Apr 23, 2018, 12:51 ehmicky notifications@github.com wrote:
Should the npm version be bumped to 2.0.2?
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/crissdev/gulp-yaml/pull/11#issuecomment-383519380, or mute the thread https://github.com/notifications/unsubscribe-auth/AAyNK_6vPT6u_BiaVJ3F99tkOpYmKh1rks5traQjgaJpZM4Te0Bd .
A security vulnerability is reported by Snyk.
This is because the
bufferstreamsdependency depends on an old version ofdebugwhich has a RegExp DoS vulnerability. This actually is a non-problem sincebufferstreamsdoes not even usedebug(although it declares it as a dependency). I've sent a pull request to remove that unused dependency.Considering the projects seems mostly dormant, it might a while before they merge it, so I am suggesting to use my fork in the meantime.