search

kevva / bin-wrapper

Binary wrapper that makes your programs seamlessly available as local dependencies
MIT License
152 stars 65 forks source link

Update dependencies #55

Closed Ilshidur closed 6 years ago

Ilshidur commented 7 years ago

Some dependencies of the version 3.0.2 are vulnerable. It would be nice to update them.

Or at least (in package.json) : "download": "^4.0.0" to "download": "^5.0.1" because 4.4.3 is vulnerable and 5.0.1 fixed it.

The better would be to update "download": "^4.0.0" to "download": "^6.2.5" (the latest version released).

I can open a PR in case you don't have the time.

EDIT : Seems to be fixed here.

Ilshidur commented 6 years ago

Is it possible to merge the branch listr ? As it contains the fix for this issue, it would be nice to publish it to npm if this is production ready :+1:

Otherwise, I can open a PR with an update of package.json :-)

benmurden commented 6 years ago

This is now also causing a deprecation warning for gulp-util, which the older download still used.

Unfortunately, it looks like the API has been changed in this branch, and is incompatible with the libraries I tried. They would have to be updated, too.

rejas commented 6 years ago

PR for this is in https://github.com/kevva/bin-wrapper/pull/65