search

jaredpalmer / tsdx

Zero-config CLI for TypeScript package development
https://tsdx.io
MIT License
11.26k stars 508 forks source link

[Snyk] Fix for 1 vulnerabilities #770

Closed snyk-bot closed 4 years ago

snyk-bot commented 4 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With a Snyk patch:
Severity Issue Exploit Maturity
medium severity Prototype Pollution
SNYK-JS-LODASH-567746		 Proof of Concept

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

πŸ›  Adjust project settings

πŸ“š Read more about Snyk's upgrade and patch logic

vercel[bot] commented 4 years ago

This pull request is being automatically deployed with Vercel (learn more). To see the status of your deployment, click below or on the icon next to each commit.

πŸ” Inspect: https://vercel.com/formik/tsdx/jkuwta0ws βœ… Preview: https://tsdx-git-snyk-fix-c1e9e8e302fe06d5d8ff30c0b353d3e3.formik.vercel.app

agilgur5 commented 4 years ago

unnecessary to update /website, but also duplicates #768 / #818 . not sure why it added its own patch instead of just updating the dep

jaredpalmer commented 4 years ago

I just deleted my Snyk account. I will install dependabot on formium when I get to office in am. Been using it on another project and it’s pretty good. I’ll set it to do weekly dep checks so we can do other things with our lives

agilgur5 commented 4 years ago

I just deleted my Snyk account.

Thanks Jared. I think that'll stop the updates but you might want to clear the permissions you gave to Snyk (it actually commits as a user and not as a bot since they don't have an app for some reason)

I will install dependabot on formium when I get to office in am. Been using it on another project and it’s pretty good. I’ll set it to do weekly dep checks so we can do other things with our lives

Agreed that weekly would be a lot better than this multiple times a day current monstrosity but still have some issues with unnecessary dep upgrades when they're not pinned anyway. Can continue any discussion of that on #839 though

agilgur5 commented 4 years ago

Snyk has been removed per above. Closing as unnecessary since this updated a dep on /website dir, which isn't a library. And because this effectively duplicated other PRs per above and added a patch instead of just updating weirdly enough.

Snyk has been replaced with dependabot per #839 / #846 . Will go through and cleanup all the Snyk branches now.

EDIT: deleted 10+ Snyk branches. Also deleted a multitude of Greenkeeper branches but won't delete the rest since there are still some open Greenkeeper PRs that should be merged/superseded but require breaking changes so will be batched later.