Open Chr1s70ph opened 2 years ago
This warning is not a concern. See how update-notifier
is used in the source code. Prototype pollution is not possible given the usage.
The only way to rectify this issue is to remove update-notifier
from the package or upgrade. The latter is not possible, as update-notifier
introduced breaking env changes and would thus break backward compat for this package.
Removing update-notifier
would probably be fine, as users probably don't need to be alerted that a new version of the CLI is avail. Feel free to submit a PR.
@kgryte I cloned the repo and made the relatively minor changes to remove update-notifier dependencies. When I tried to push and create a PR it tells me I don't have permission to push. I'd also like to add functionality to close an issue. Should I work from a fork? And if so (I've never forked anything before), how do I then get my version installed instead of your version, using npm? Thanks!
I've now added issue-commenting and issue-closing functionality.
@kgryte I cloned the repo and made the relatively minor changes to remove update-notifier dependencies. When I tried to push and create a PR it tells me I don't have permission to push. I'd also like to add functionality to close an issue. Should I work from a fork? And if so (I've never forked anything before), how do I then get my version installed instead of your version, using npm? Thanks!
You can create a new branch and submit a new PR that way. Pushing to the master branch is only allowed for maintainers of the repository.
@kgryte I cloned the repo and made the relatively minor changes to remove update-notifier dependencies. When I tried to push and create a PR it tells me I don't have permission to push. I'd also like to add functionality to close an issue. Should I work from a fork? And if so (I've never forked anything before), how do I then get my version installed instead of your version, using npm? Thanks!
You can create a new branch and submit a new PR that way. Pushing to the master branch is only allowed for maintainers of the repository.
Creating a new branch isn't an option; so is perhaps disabled in the repo?
Create a branch locally on your machine by using git checkout -b "your_branch_name"
Afterwards, you will be able to create a PR.
Updating the package to the latest version introduces insecurities. These do not appear on version 1.0.1 of the package.