gulpjs / gulp-cli

Command Line Interface for gulp.
MIT License
401 stars 106 forks source link

Vulnerability in `copy-props` #234

Closed sarahmmcb closed 2 years ago

sarahmmcb commented 2 years ago

Hi, I'm a bit new to this, so I apologize if this turns out to be 'noise.' My project is currently flagging copy-props@2.0.4 as a vulnerability. It lists gulp-cli@2.3.0 as the only package dependent on this (included because I am using gulp@4.0.2). Github has informed me that the fix is in version 2.0.5. I viewed your package.json, and it lists "copy-props": "^2.0.1". Do you know why it might be installing version 2.0.4 instead of version 2.0.5 or higher? Thank you.

phated commented 2 years ago

Your lockfile. I recommend researching how lockfiles work.

santhoshkumar54 commented 2 years ago

@phated There is a security vulnerability in "copy-props": "^2.0.1" which is used in gulp-cli@2.3.0 package. copy-props 2.0.5 is available and it does not have any security vulnerability. Is there any plan to update it. I see many tickets related to this is asked and closed as Spam.