wooorm
commented
2 years ago It’s not an issue. Microsoft/GitHub/npm is lying to you: https://overreacted.io/npm-audit-broken-by-design/.
Closed julienw closed 2 years ago
wooorm
commented
2 years ago It’s not an issue. Microsoft/GitHub/npm is lying to you: https://overreacted.io/npm-audit-broken-by-design/.
julienw
commented
2 years ago Note that that's exactly what I wrote. However having that every user look at the potentially offending code themselves is more work than just upgrading once and for alll the dependency in alex. Let's remember that alex gets run on the developer machine, therefore security issues can still be real issues even though it's "just" a development dependency.
wooorm
commented
2 years ago It’s a lot of work for me to maintain lots of packages.
My point isn‘t about development dependencies. This particular vulnerability is not a vulnerability for users of alex.
julienw
commented
2 years ago I can suggest to set up a service such as depfu.com, this has been a great help in our project to manage dependencies.
Also I'd be happy to do PRs to update dependencies in these cases too, given I'm the one who cares about that.
Subject of the issue
Here is the details of this security advisory: Got allows a redirect to a UNIX socket Package: got Patched in: >=11.8.5 Path: alex > update-notifier > latest-version > package-json > got More info: https://www.npmjs.com/advisories/1080920
My understanding is that package-json doesn't use the option
followRedirectand therefore isn't vulnerable to this issue. Still having to look at this manually is painful, and it would be much easier if alex could update its dependency toupdate-notifier(they upgraded the bad dependency in https://github.com/yeoman/update-notifier/pull/222).Thanks