Closed paulslauenwhite closed 2 months ago
merged in rdflib@2.2.35
Thanks @bourgeoa for the quick fix. Unfortunately, this fix (jsonld@8.3.2
) did not resolve these undici
CVEs. Looks like jsonld
dependency will need to be upgraded to include a version of http-client
that includes undici-5.28.4 or later, which contains fixes for these CVEs.
Can you please reopen this issue?
@paulslauenwhite I re-opended the issue but I should not. I checked rdflib@2.2.35 and it includes a version of http-client that includes undici-5.28.4
# npm ls undici
rdflib@2.2.35 /mnt/d/github/solidos/workspaces/rdflib
└─┬ jsonld@8.3.2
└─┬ @digitalbazaar/http-client@3.4.1
└── undici@5.28.4
Thanks @bourgeoa. Apologies for the confusion. Upgrading to rdflib@2.2.35
and running yarn install
did not upgrade to undici@5.28.4
for me. The work-around:
rdflib@2.2.35
.yarn install
.rdflib@2.2.35
.yarn install
.No apologies. Happy that everything works for you.
rdflib.js has the following dependency hierarchy:
The undici dependency has the following CVEs:
To resolve these CVEs, the http-client dependency will need to upgrade to undici-5.28.4, which contains fixes for these CVEs.