Closed andy-viv closed 5 years ago
Not sure if this is necessary of if #12 will do it on its own... The caret spec should theoretically pick up 3.0.1 (3.0.0 has the bug), but probably want to merge this as well to ensure it.
What makes problem worse is that there are libraries out there that depend on base@0.11.2, which in turn depends on cache-base@1.0.1, which is going to be unaffected by this fix. Fortunately there is 0.11 branch for base
so that could be patched, but unfortunately major upgrades of cache-base
are backwards-incomplatible in fundamental way, and there is no 1.x branch for the cache-base
where a targetted dependency bump (from set-value@2.0.1 to 3.x) could be applied.
@jonschlinkert How do you suggest to approach this?
@jonschlinkert If you could create 1.x branch for cache-base based on latest 1.x tag, I could raise a version bump PR against it.
Npm fixed the versions they reported as vulnerable so you shouldn't be getting npm audit warnings now.
@doowb Can you explain what do you mean by "fixed versions"? Isn't it impossible to retroactively change anything published on npm?
@kibertoad npm added an additional version under Unaffected https://www.npmjs.com/advisories/1012/versions
@kibertoad as @scttcper points to on npm's advisories page, the patched versions are already listed and had already been published to npm. Snyk had reported the unaffected versions correctly and their tool worked properly when checking for vulnerabilities. Unfortunately, when npm updated their database, they missed one of the unaffected versions which caused npm audit
to start reporting vulnerabilities. Npm "fixed the versions" by updating their database with the correct unaffected versions. We didn't have to publish any new code to the npm registry.
I see, thank you for clarification!
Audit failure advisory link: https://www.npmjs.com/advisories/1012