search

jhnns / rewire

Easy monkey-patching for node.js unit tests
MIT License
3.08k stars 128 forks source link

remove vulnerable version of ansi-regex from dependencies #193

Closed tsekityam closed 2 years ago

tsekityam commented 3 years ago

Dependabot cannot update ansi-regex to a non-vulnerable version The latest possible version that can be installed is 4.1.0 because of the following conflicting dependency:

rewire@5.0.0 requires ansi-regex@^4.1.0 via a transitive dependency on strip-ansi@5.2.0 The earliest fixed version is 5.0.1.

View logs or learn more about troubleshooting Dependabot errors.

I got the above warning in one of my projects. It seems that the best way to fix this vulnerability is to upgrade mocha and eslint in this project to the latest version.

This PR upgrade mocha and eslint to the latest version, and also add the missing dev dependency istanbul to the repo.

I tried npm run test, npm run coverage and npm audit, and no warning or error was raised.

makiri1993 commented 3 years ago

Any timeline when this will be released? I'm having the same issue and it's part of a ticket of mine :D

imailer commented 2 years ago

@jhnns can you please review the PR and merge it ?

jhnns commented 2 years ago

I will try to review it this week :+1:

jhnns commented 2 years ago

LGTM, thank you 👍 :)

jhnns commented 2 years ago

Published as v6.0.0 🚀