Open bloep opened 1 year ago
It appears an outdated version of semver is also referenced as a dev dependency here: https://github.com/less/less.js/blob/4d3189c05175dfd8aab505ec19c7f5724f145295/packages/less/package.json#L100
@iChenLei, is there any update on this? If not, would a pull request be welcome?
it was fixed on make-dir
side, run npm audit fix
or try to reinstall less
it was fixed on
make-dir
side, runnpm audit fix
or try to reinstallless
That will only fix it if you use --force
because the vulnerability fix has not been done in v2 of make-dir, but rather in the next major(s).
This means it would be best if less
can upgrade make-dir
to the latest major version.
Dunno if this repo is still maintained but I'd be open to creating a pull request.
@jorenbroekema PR welcome
@iChenLei done https://github.com/less/less.js/pull/4250
the less.js dependency
make-dir
is not up-to-date and causes security warning due to its outdated dependency. see https://github.com/advisories/GHSA-c2qf-rxjj-qqgwI would suggest updating to a current
make-dir
version here. A quick search showed that it is only used here, so from my point of view an update should bring little problems. https://github.com/less/less.js/blob/7491578403a5a35464772c730854c3a5169c0de7/packages/less/bin/lessc#L163-L172