Security alert: Please update js-yaml dependency

[lehnerpat]

This package currently uses version 3.11.0 of js-yaml.

According to this NPM security advisory:

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

Please update gray-matter's js-yaml dependency to a patched version, so that users of your great package can continue using it safely :)

Thanks in advance!

[doowb]

Please do some research to learn how NPM and semver works before opening issues like this.

According to NPM's documentation on semantic versioning, a version specified with ^ in front will get all minor releases. gray-matter specifies ^3.11.0 which tells NPM to pull down any 3.x versions. This includes 3.13.1.

Also, take a look at how js-yaml is used in gray-matter. The advisory you quoted says "The safeLoad() function is unaffected." That's the only function gray-matter uses.

If you are receiving security warnings then you either need to delete your node_modules and package-lock.js and clear your NPM cache, or open a bug report with NPM to let them know they aren't installing the correct version based on their semver rules.

[robertmassaioli]

Please do some research to learn how NPM and semver works before opening issues like this.

That might be a bit harsh even if it is correct.

I would like to add though that you should check your package.lock/yarn.lock files should they exist, they may be what is preventing you from getting the latest version of gray-matter.

Hope this helps and thanks for trying to help make sure that gray-matter is as good as it can be!