search

jonkemp / inline-css

Inline css into an html file.
MIT License
429 stars 85 forks source link

vm2 dependency still there #128

Closed ir-fuel closed 6 months ago

ir-fuel commented 7 months ago

You have updated the code so remote-content no longer uses the superagent dependency which pulled in a vulnerable vm2 dependency.

However you did not update any version numbers, not on inline-css and not on remote-content, so people who don't wipe node-modules before running npm install will not get updated versions for this.

this is what npm ls contextify vm2 shows right now on my computer:

└─┬ inline-css@4.0.2
  └─┬ extract-css@3.0.1
    └─┬ href-content@2.0.2
      └─┬ remote-content@3.0.1
        └─┬ superagent-proxy@3.0.0
          └─┬ proxy-agent@5.0.0
            └─┬ pac-proxy-agent@5.0.0
              └─┬ pac-resolver@5.0.1
                └─┬ degenerator@3.0.4
                  └── vm2@3.9.19
ir-fuel commented 7 months ago

It's even worse it seems. I deleted package-lock.json, node_modules and I force cleaned the npm cache, and I still get the above dependency tree imported in the project

jonkemp commented 7 months ago

Thanks. I am aware. This is a monorepo so it's more complicated and I'm looking into converting it to use Turborepo. I just haven't gotten to it yet. Sorry for the delay.

LucVidal360 commented 6 months ago

Hi @jonkemp, I really look forward to a new version of inline-css and remote-content without vm2. :wink: I guess just having a remote-content@3.0.2 would be enough.

jonkemp commented 6 months ago

Updates to href-content and remote-content are available on npm.

LucVidal360 commented 6 months ago

@jonkemp Thank you so much :pray: