conartist6
commented
1 year ago I just closed the issue we have tracking this. The vulnerability was reported incorrectly, and does not affect the version of yaml used in babel-plugin-macros.
Closed AbeykoonOshan closed 1 year ago
conartist6
commented
1 year ago I just closed the issue we have tracking this. The vulnerability was reported incorrectly, and does not affect the version of yaml used in babel-plugin-macros.
conartist6
commented
1 year ago I'll leave this open for a little bit in hopes that it prevents people opening more clones of the same issue, but the fix needs to happen in the vulnerability database not this project.
As per the recent snyk reports the yaml package has a security vulnerability. Snyk issue: https://security.snyk.io/vuln/SNYK-JS-YAML-5458867 But this is fixed in latest version of yaml.
For the moment babel-plugin-macro library is dependant on "cosmiconfig@7.0.0" which has another dependency to "yaml@1.10.0". But the newer version of "cosmiconfig" doesn't use "yaml" as a dependency so if we can bump up "cosmiconfig" to its latest it will be helpful.
I am not sure that how much of vulnerable features of "yaml" is used in "cosmoconfig" and how it can affect this package, just creating this issue for the library to evaluate this issue and fix this if its possible.