Closed LinusU closed 2 years ago
That would be great because simple-get ^3.0.3 is a transitive dependency of other packages, like prebuild-install v5 and v6.
Looks like there is a backport for 2.x.x in PR #75 , I would surmise a fix here would be very similar. I hope we get some traction here.
I think that you can already make your pull request @LinusU, so that feross just have to approve and merge the stuff.
@LinusU I gave you access to this package on GitHub and npm to help handle these security fixes. Appreciate it!
I've cherry-picked the fix and released 3.1.1
and 2.8.2
π
Thanks! Somebody has poked the powers that be so https://github.com/advisories/GHSA-wpg7-2c88-r8xv get updated with the new fixed versions?
Unfortunately I have no idea how to do that, would love to get to know how though βΊοΈ
I've cherry-picked the fix and released
3.1.1
and3.8.2
π
Amazing, thanks.
For the record: the last version number is a typo and needs to be 2.8.2. See also versions tab in https://www.npmjs.com/package/simple-get.
We are using version 3.x of
simple-get
incanvas
and cannot upgrade to 4.x without making it a breaking change since we still support Node.js 6.x.@feross would it be possible to have the patch back ported to the 3.x release line?
I can submit a PR if you create a
3.x
branch from abdcdb32d0bb7707110a1ab39df99488330df1ee.Thanks!