Open dependabot[bot] opened 4 years ago
@jonschlinkert can we get this merged?
Since we did not hear back from @jonschlinkert in a while, I forked the repository and published a new package to NPM. The new package uses the latest dependencies and as of now, has no other security vulnerabilities.
Read this issue for more information: https://github.com/jonschlinkert/to-object-path/issues/3 New repository: https://github.com/OronNadiv/to-object-path New NPM Package: https://www.npmjs.com/package/to-object-path-js
The CVE specifies kind-of >= 6.0.0 and < 6.0.3
. Version 3.2.2
does not fall within this range, which is fine to use here. Some additional discussion can be found here.
Since the update isn't necessary by itself, this doesn't need to be merged in yet. I'll leave the PR open and merge it in when we make additional changes to this module.
Bumps kind-of from 3.2.2 to 6.0.3.
Changelog
Sourced from kind-of's changelog.
Commits
abab085
6.0.3a18459c
run verb to generate README documentationdc6bea5
only need to checktypeof val.constructor
1df992c
Merge pull request #31 from xiaofen9/master975c13a
fix type checking vul in ctorName4da96c0
Delete FUNDING.yml28266f2
Create FUNDING.yml0b4abab
6.0.21491da7
addserror
to readme, thanks to @ianstormtaylor80cdb6e
Merge pull request #21 from ianstormtaylor/update-readme-errorMaintainer changes
This version was pushed to npm by doowb, a new releaser for kind-of since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/jonschlinkert/to-object-path/network/alerts).