Closed olgolovin closed 6 years ago
pierreca
commented
6 years ago @ifandelse it looks like this vulnerability alert is causing all packages using machina to be unlisted on npms.io and npmjs.com.
Is there work in progress to fix this or would you accept a PR to update lodash to a non-vulnerable version?
[edit] NVM looks like a glitch in the search function - everything is back in order. I'd still be very happy to submit a PR if I knew you'd be OK to review/release it.
tristanls
commented
6 years ago PR #159
pierreca
commented
6 years ago sending another ping on this issue? @ifandelse @rniemeyer ?
totally understand that you don't owe anything to anyone and that we're lucky to have this project in its current state - if you're pressed by time and don't have time to test/merge/publish a new version with the changes proposed in #159 (provided that you think they are correct?) maybe you can offload this to a new maintainer?
My team would be happy to contribute and take on those responsibilities, even if it's just for petty things like dependency updates.
If you aren't open to patching this at the time, are you ok with someone else forking the repository and publishing a separate patched version? maybe under a different package name?
ifandelse
commented
6 years ago @pierreca Apologies for the wait. A few months back I muted all notifications on nearly every tool I'm subscribed too.....and, well, it had some unfortunate collateral damage....like this. :facepalm:
v4.0.1 is published with the updated lodash version.
$ npm i machina
gives:
$ npm audit
Prototype Pollution Package: lodash Patched in: >=4.17.5 Dependency of: machina Path: machina > lodash