Vulnerability in eslint > espree > acorn

[rafaels-dev]

NPM audit is reporting a vulnerability in eslint accorn dependency. Patch is available, but eslint need to be updated.

[rafaels-dev]

I can see rewire is using old eslint version. Could I update eslint to latest version?

[rensbaardman]

Unfortunately, this repo hasn't been updated in quite a while. I maintain a fork that has the eslint updates already. Should be a drop-in replacement.

[rafaels-dev]

Unfortunately, this repo hasn't been updated in quite a while. I maintain a fork that has the eslint updates already. Should be a drop-in replacement.

Are you thinking in release and maintaning a forked rewire in npm, maybe using another package name?

@jhnns are you thinking keep this repo updated? Maybe you could assign new contributors as maintainers.

[rensbaardman]

I'm not sure @jhnns sees these mentions. I have sent him a mail and will wait for his response. Else I will consider maintaining a fork in npm.

[arijnr]

This repository has a "^" before the eslint dependency declaration. It means all non breaking changes in eslint can be downloaded if new eslint versions become available.

The vulnerability has been fixed in eslint and a new version with no breaking change has been released. But maybe the older versions are forced in your packge-lock.json.

You could try as below: -> remove node_modules (maybe not needed) -> remove "rewire" from package.json -> npm install ("rewire" should disappear from package-lock.json) -> add "rewire" again to your package.json -> npm install (rewire will appear again in package-lock.json, but with new dependencies versions for rewire)

[rafaels-dev]

Thanks @arijnr, it worked fine!