Open ale4ko69 opened 3 years ago
TorahG
commented
3 years ago Also running into this. I initially thought the issue was with Inquirer, but it appears they do not have lodash listed as a dependency, so perhaps Vorpal needs to upgrage lodash. Here is a screenshot of the audit output from npm.
macrozone
commented
2 years ago anyone know a maintained fork of vorpal or something similar?
robross0606
commented
2 years ago This is really disappointing. There are currently 17 open pull requests so clearly people are trying to help maintain this. But the project owner appears to have somewhat abandoned it. He even suggests someone "shoot him a note" to help maintain it, but there have been no updates in years. If anyone knows of a maintained fork that is actually published to npm with a unique name, please post.
sabbaticaldev
commented
3 months ago If you wanna help just fork it yourself in place of expecting someone that moved on to work on it again, no?
robross0606
commented
3 months ago @sabbaticaldev, with respect, forking doesn't help the community. All it does is fragment things. If they have "moved on", the owner(s) of this repository should ask for contributors on this repository and work to transition it. Even if I fork the project, I cannot simply publish new versions of this artifact. I'd have to create a different name and then we just add community confusion.
RheaSidana
commented
1 month ago "dependencies": { "lodash": "^4.17.21", }, "overrides": { "lodash": "$lodash", }
Add dependencies explicitly and overrides them, in the package.json file
sabbaticaldev
commented
1 month ago @robross0606 there is no fragmenting if the original work stopped like the case here. There is just complaining and laziness.
robross0606
commented
1 month ago @sabbaticaldev The vitriol is unnecessary. It costs nothing to be nice. I respectfully disagree and the already existent forks of this project back it up. This project is also not properly marked as archived. While I'm at it, why not spend an ounce of that wasted hate and spin up your own fork? More fun to troll people instead? If you have nothing useful to contribute, get off the thread.
sabbaticaldev
commented
1 month ago It costs nothing for you to be nice too, @robross0606. Let me remind you that you started this with your condescending tone "This is really disappointing". You are not entitled to free work from free software, you know? In place of wasting so much of our energy with this useless discussion you could have done it the right way.
Also a reminder to you that this here is real life. People get sick, people die, people change priorities in their life.
robross0606
commented
1 month ago How is "disappointing" condescending? Seriously? Disappointing is a feeling I have. I'm not telling you you're anything (like lazy) and nothing was sarcastic or spoken as if to a child. I'm saying I'm disappointed that this repo hasn't handled shutdown properly:
That's disappointing to me. There's nothing condescending there and nothing hurtful. Sorry, I don't know why you got feelings hurt by that, but you may want to look up the definition of "condescending". (Hint: That last sentence was condescending.)
npm audit
lodash <=4.17.20 Severity: high Prototype Pollution - https://npmjs.com/advisories/1065 Prototype Pollution - https://npmjs.com/advisories/1523 Command Injection - https://npmjs.com/advisories/1673 Prototype Pollution - https://npmjs.com/advisories/577 Prototype Pollution - https://npmjs.com/advisories/782 No fix available node_modules/vorpal/node_modules/inquirer/node_modules/lodash inquirer <=0.11.4 Depends on vulnerable versions of lodash node_modules/vorpal/node_modules/inquirer vorpal * Depends on vulnerable versions of inquirer node_modules/vorpal