Closed olizilla closed 4 years ago
The ipfs-desktop repo has a incrorrect sercurity advisory on it's transitive dep on cryptiles, which it gets via ipfsd-ctl > hapi > cryptiles.
$ npm ls cryptiles ipfs-desktop@1.0.0 /Users/oli/Code/ipfs-shipyard/ipfs-desktop └─┬ ipfsd-ctl@0.40.0 └─┬ hapi@16.7.0 ├── cryptiles@3.1.4 ├─┬ iron@4.0.5 │ └── cryptiles@3.1.4 deduped └─┬ statehood@5.0.3 └── cryptiles@3.1.4 deduped
The alert https://github.com/ipfs-shipyard/ipfs-desktop/network/alert/package-lock.json states we have to upgrade to cryptiles>=4.1.2 which would only be possible by updating to hapi@17.
but here we see the fix for the issue backported and release in cryptiles@3.1.3
This is just a record of the digging I did so others can rest easy. As long as you see cryptiles>=3.1.3 you can ignore the alert. It's annoying, I know.
This should be fixed by #353 as it upgrades hapi to v18 which depends on @hapi/cryptiles@4.2.0
@hapi/cryptiles@4.2.0
The ipfs-desktop repo has a incrorrect sercurity advisory on it's transitive dep on cryptiles, which it gets via ipfsd-ctl > hapi > cryptiles.
The alert https://github.com/ipfs-shipyard/ipfs-desktop/network/alert/package-lock.json states we have to upgrade to cryptiles>=4.1.2 which would only be possible by updating to hapi@17.
but here we see the fix for the issue backported and release in cryptiles@3.1.3
This is just a record of the digging I did so others can rest easy. As long as you see cryptiles>=3.1.3 you can ignore the alert. It's annoying, I know.