cahuizar
commented
3 years ago Any update on this?
Closed joshuanapoli closed 3 years ago
cahuizar
commented
3 years ago Any update on this?
OronNadiv
commented
3 years ago I created similar tickets for packages that @jonschlinkert manages. As of now, I haven't heard back from him. https://github.com/doowb/set-getter/issues/2 https://github.com/jonschlinkert/lazy-cache/issues/9 https://github.com/jonschlinkert/repo-utils/issues/3
Jon might not be available anymore to maintain those packages. That's bad news considering the number of daily downloads each of the packages have.
I ended up publishing an updated version of repo-utils. I will probably do the same to the other the packages as well.
OronNadiv
commented
3 years ago I forked the repository and published a new package to NPM. The new package uses the latest dependencies and as of now, has no other security vulnerabilities.
New repository: https://github.com/OronNadiv/to-object-path New NPM Package: https://www.npmjs.com/package/to-object-path-js
doowb
commented
3 years ago The linked CVE specifies kind-of >= 6.0.0 and < 6.0.3. Version 3.2.2 does not fall within this range, which is fine to use here. Some additional discussion can be found here.
Since the update isn't necessary by itself, I'm going to close this issue and we'll update the dependency next time we update this module.
This package's dependency kind-of has vulnerability CVE-2019-20149. The problem would be solved by upgrading to the latest version of kind-of. See #2 (test passes on the branch)