facebook-github-bot
commented
2 years ago @zpao has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.
Closed zpao closed 2 years ago
facebook-github-bot
commented
2 years ago @zpao has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.
robrichard
commented
1 year ago @zpao can you publish a new version to npm with this change?
stianjensen
commented
1 year ago can you publish a new version to npm with this change?
It doesn't seem like a new version was ever released. Will there still be a final security release of this lib before it goes into maintenance mode EOY?
This gets past a couple potential security issues with transitive dependencies. This is effectively a no-op at this point.
The node-fetch change is not important, Draft doesn't make use of it.
The ua-parser-js change is relevant, however the vulnerable version has been yanked from npm and fbjs already had an open enough range in its dependency that people would have gotten upgraded without us needing to explicitly upgrade fbjs.