Closed rab1 closed 3 weeks ago
The risk is very minimal given the fact that the entire point of jscodeshift is to run user-supplied code, but we can bump the dependencies to resolve this issue.
@Daniel15 Could you bump the version and make patch release ?
Yes, I'll bump it tomorrow.
I figured out what happened. #588 bumped the babel-core
dependency from 7.0.0-bridge.0
to 6.26.3
, I guess since technically it's newer. This caused the security alerts to fire since all babel versions <7.23.2 have the issue.
The security warning is not a problem for jscodeshift though, since babel-core v6 is not actually used in jscodeshift. The only reference to babel-core
instead of @babel/core
was in the code that outputs the version when you run jscodeshift --version
.
I updated that code to use @babel/core
and removed the old babel-core
package.
I've published a new package with the babel-core dependency removed as v0.16.1.
I have installed latest package
"jscodeshift": "^0.16.0",
and executednpm audit
.. it throwsSee detailed errors on
Any can advise on this ?