electron-windows-store relies on package semver with security issue

electron-userland / electron-windows-store

:package: Turn Electron Apps into Windows AppX Packages

MIT License

678 stars 86 forks source link

electron-windows-store relies on package semver with security issue #88

Open naderm opened 6 years ago

naderm commented 6 years ago

electron-windows-store has an out of date dependency, semver, that contains a security issue

electron-windows-store@^0.10.1 > flatten-packages@^0.1.4 > semver@~2.2.1

I've filed this issue in flatten-packages, but that package has not been updated in several years. I'm re-filing this issue here in case it is not addressed downstream:

https://github.com/arifsetiawan/flatten/pull/21

felixrieseberg commented 6 years ago

Doesn't seem all that bad, given that we're not using this as a server app (and I hope you're not either) and that semver is only run against your own input. This is only an issue if you're concerned about DDOSing yourself 😆

felixrieseberg commented 6 years ago

I'd totally accept a PR though!

paulvarache commented 5 years ago

This project no longer depends on flatten-packages and the package-lock.json contains version 5.5.1 of semver. Could we close this issue?