High severity vulnerability detected "ini 1.3.5" dependencies

jonschlinkert / global-prefix

Get the npm global path prefix. Same code used internally by npm.

MIT License

28 stars 12 forks source link

High severity vulnerability detected "ini 1.3.5" dependencies #25

Closed kamalyzl closed 3 years ago

kamalyzl commented 3 years ago

A security assessment was performed and vulnerabilities were found to dependency ini "^1.3.5"

It is requested to update from version ini "^1.3.5" to ini "^1.3.6" being version 2.0.0 the last stable

doowb commented 3 years ago

Hi @kamalyzl and thank you for the issue. Since the vulnerability in ini@1.3.5 was patched in ini@1.3.6 and this module uses the ^ in the version, then NPM's semver will handle downloading the correct version.

If you are still having issues, take a look at this guide for advice on ensuring NPM gets the correct version.

I'm going to close this now, but when we make other changes to the code in this module, we'll also evaluate updating the dependencies.