search

jednano / eclint

Validate or fix code that doesn't adhere to EditorConfig settings or infer settings from existing code.
MIT License
305 stars 28 forks source link

latest eclint depends on vulnerable axios package #161

Open dlouzan opened 5 years ago

dlouzan commented 5 years ago

See https://nvd.nist.gov/vuln/detail/CVE-2019-10742

(fix/security-vulnerabilities= d4c870e)$ yarn why axios
yarn why v1.16.0
[1/4] 🤔  Why do we have the module "axios"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "axios@0.18.0"
info Reasons this module exists
   - "eclint#gulp-reporter" depends on it
   - Hoisted from "eclint#gulp-reporter#axios"
info Disk size without dependencies: "432KB"
info Disk size with unique dependencies: "496KB"
info Disk size with transitive dependencies: "628KB"
info Number of shared dependencies: 4
✨  Done in 0.69s.

(fix/security-vulnerabilities= d4c870e)$ yarn list eclint
yarn list v1.16.0
warning Filtering by arguments is deprecated. Please use the pattern option instead.
└─ eclint@2.8.1
✨  Done in 0.64s.
zbeekman commented 5 years ago

It would be nice to see dependabot setup for eclint

zbeekman commented 5 years ago

PR #163 adds a dependabot config.yml but project authors/maintainers still need to enable it for the project & create dependabot account.