Open TimCorwinCytiva opened 1 week ago
Please explain to me how an attacker would exploit these issues to cause a security issue in Graphile Migrate.
Unlikely that either CVE could be exploited insite graphile-migrate; but depending on the npm/yarn configuration, if the vulnerable versions were picked for graphile-migrate and then re-used for untrusted input...
Feel free to raise a minimal PR updating the lockfile and, if necessary, the package.json. I'm currently travelling for GraphQLConf so will likely not get a chance to release it for a week or two.
I have created https://github.com/TimCorwinCytiva/migrate/tree/bump-chokidar, based on your v1.4.1 tag, but I'm not sure how I could raise a PR without involving your V2 RCs, since there doesn't seem to be a release branch. Apologies if this is obvious, this is actually my first PR outside of Corpo-land.
Basing the PR off of main would be best; that’s where the release candidates are. They’re not really release candidates any more I guess, I just need to release the final version without changes.
I guess i could create a 1.x branch for patch releases though. That’s fine 👍 Leave it with me.
1.4.1 expects vulnerable versions of
braces
andip
via the dependency on chokidar@3.5.3 See: https://www.cve.org/CVERecord?id=CVE-2024-4068 https://www.cve.org/CVERecord?id=CVE-2024-29415Could we get a patch release please?