Closed AmitPhulera closed 3 years ago
Hi @andrewharvey, Thanks for the quick action, really appreciate it.
Would it be possible for you to make releases for versions v0.11.1, v0.12.2, v0.13.1? I just want to be sure the changes make to https://github.com/mapbox/mapbox-gl-geocoder/
Thanks again for looking into it.
I don't think Mapbox would do patch releases like that, likely these changes would just flow through in the next release when that happens. If it's a security issue that meets Mapbox's eligibility requirements you can always report via https://www.mapbox.com/platform/disclosure/.
I don't think Mapbox would do patch releases like that, likely these changes would just flow through in the next release when that happens.
I was really hoping that these updates go in.
If it's a security issue that meets Mapbox's eligibility requirements you can always report via https://www.mapbox.com/platform/disclosure/.
I am not sure about that and neither do I have the expertise to investigate further in this area.
I guess the only option I am left with is waiting until a new version of Mapbox-gl-geocoder comes out.
Thanks a lot for your response @andrewharvey 😄
You'd need to first do a release here, then do submit a PR to the geocoder to update the SDK-JS version, then do another release on the geocoder.
I think making release here would fix geocoder as it uses "@mapbox/mapbox-sdk": "^0.11.0".
https://github.com/mapbox/mapbox-gl-geocoder/blob/master/package.json#L62
So I guess having a v0.11.1 here would fix the issue.
There is a CVE in one of the dependencies that
got
uses. Can share more details in private. Updating got to 10.7.0 fixes it. Assuming code has good test coverage, this would be a low-risk change. One test failed which I believe is a minor update in thegot
library. I have fixed it. Updating to the latestgot
version had more tests failing so I did not go that path.It would be helpful if this can be taken up quickly.