Closed raQai closed 1 year ago
Have you tried using a package resolution? or the npm equivalent 'overrides'? This lets you override a child dependency version without having to wait for a higher one to be updated.
We had the same issue with nyc and this seemed to work for us:
"resolutions": {
"nyc/istanbul-lib-instrument": "^5.2.1"
},
Yea thanks for the advice :slightly_smiling_face: npm audit fix
actually resolves the failure but I just wanted to open this issue since it was not yet addressed in nyc
itself which it probably should :)
@raQai there is nothing for nyc
to address as the vulnerability is a child dependency of a dependency they rely on whose constraints allow for a patched version to be used (since running npm audit fix
successfully resolves the advisory) - nyc
would only need to action this if that wasn't the case.
Thanks for clarifying @G-Rath :+1:
Link to bug demonstration repository
https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Expected Behavior
Audit passing
Observed Behavior
Audit failing
Troubleshooting steps