search

maizzle / framework

Quickly build HTML emails with Tailwind CSS.
https://maizzle.com
MIT License
1.21k stars 48 forks source link

Vulnerability in dependencies #1223

Closed benjamin-chang closed 5 months ago

benjamin-chang commented 5 months ago

Following up on https://github.com/maizzle/framework/issues/740. Still getting this warning.

npm audit

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @maizzle/framework@3.7.3, which is a breaking change
node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @maizzle/cli  >=1.1.0
        Depends on vulnerable versions of update-notifier
        node_modules/@maizzle/cli
          @maizzle/framework  >=4.0.0-alpha.1
          Depends on vulnerable versions of @maizzle/cli
          node_modules/@maizzle/framework

6 moderate severity vulnerabilities

Steps to reproduce

nvm use 18.16.0
npm i @maizzle/framework
npm audit
cossssmin commented 5 months ago

Looks it's not updated in one of the CLI's dependencies which we use for notifying of a new Maizzle version:

├─┬ @maizzle/cli@1.5.7
│ └─┬ update-notifier@5.1.0
│   └─┬ latest-version@5.1.0
│     └─┬ package-json@6.5.0
│       └── got@9.6.0

Can't update it there unfortunately, as starting with v6.0.0 update-notifier is ESM-only :(

TBH it's been causing nothing but trouble, I think maybe it's just best to drop it in a feature release, i.e. in v1.6.0 of @maizzle/cli.

benjamin-chang commented 5 months ago

Can't update it there unfortunately, as starting with v6.0.0 update-notifier is ESM-only :(

TBH it's been causing nothing but trouble, I think maybe it's just best to drop it in a feature release, i.e. in v1.6.0 of @maizzle/cli.

That is unfortunate. +1 here for dropping it.

benjamin-chang commented 5 months ago

moved to https://github.com/maizzle/cli/issues/236