yarn lock locks down growl@1.9.2 but this version has vulnerabilities

garycourt / uri-js

An RFC 3986 compliant, scheme extendable URI parsing/validating/normalizing/resolving library for JavaScript

Other

305 stars 69 forks source link

yarn lock locks down growl@1.9.2 but this version has vulnerabilities #54

Closed clisterdmello closed 3 years ago

clisterdmello commented 3 years ago

growl@1.9.2: version "1.9.2" resolved "https://registry.yarnpkg.com/growl/-/growl-1.9.2.tgz#0ea7743715db8d8de2c5ede1775e1b45ac85c02f"

is locked down in yarn.lock version but this version has vulnerabilities. Is it possible to update it to the version that mocha gets in?

└─┬ mocha@8.1.3 └── growl@1.10.5

There are other libraries as well. I will make a list of it but this seemed little high priority 👍 I can do a PR as well :)

garycourt commented 3 years ago

This package is not used in production, and is only used to compile and/or unit test the code. Therefore, any risk is quite low. But yes, it should be possible to update this package version.

garycourt commented 3 years ago

Now fixed in uri-js@4.4.1.