HolgerJeromin
commented
7 months ago Thanks for merging. Would you mind preparing a new release so dependabot can be happy? :-D
Closed HolgerJeromin closed 7 months ago
HolgerJeromin
commented
7 months ago Thanks for merging. Would you mind preparing a new release so dependabot can be happy? :-D
sgravrock
commented
7 months ago Can you help me understand why you can't appease dependabot without a jasmine-browser-runner release? The existing released version of jasmine-browser-runner is compatible with the latest express, so you should get the latest express automatically unless you have a lockfile that pins an older version. And in that case, I'd bet that the lockfile also pins jasmine-browser-runner.
Can you show me a repo where the Dependabot warning can't be fixed without a jasmine-browser-runner release?
Also note that jasmine-browser-runner is not affected by the mentioned vulnerability because it does not use the vulnerable parts of express.
HolgerJeromin
commented
7 months ago You are right. Thanks for the hint. Problem fixed.
Updates to a version with a security fix: ref https://github.com/expressjs/express/releases/tag/4.19.2
https://www.cve.org/CVERecord?id=CVE-2024-29041