Closed kulfoniasty closed 4 years ago
coveralls
commented
5 years ago Coverage remained the same at 97.619% when pulling ef1b714f9885faff2bc438dabac7624ede203550 on kulfoniasty:master into 5bea3d816d0258e5204f1b49b08b9fb302ac53e1 on jhnns:master.
coveralls
commented
5 years ago Coverage remained the same at 97.619% when pulling ef1b714f9885faff2bc438dabac7624ede203550 on kulfoniasty:master into 5bea3d816d0258e5204f1b49b08b9fb302ac53e1 on jhnns:master.
rensbaardman
commented
5 years ago Note that eslint is in fact not a devDependency: see this comment. It is used in moduleEnv.js.
The vulnerability in js-yaml was fixed in version 3.13.0 of js-yaml. Since version 5.16.0 of eslint, eslint is explicitly depending on version 3.13.1 or higher of js-yaml. The problem is that rewire is depending on "eslint": "^4.19.1", and therefore keeps the vulnerable version of js-yaml in its dependency tree. Bumping the eslint-dependency to version 5 – if possible – would fix this.
To overcome recently reported issue with https://www.npmjs.com/advisories/788
I moved eslint to devDependencies as I do not believe it is necessary for my project to inherit it from
rewire