Closed dreamorosi closed 2 years ago
thaddmt
commented
2 years ago We're actually in a weird state where this package has a yarn.lock and a package-lock.json so we probably need to clean that up as well. Currently I am using npm v7. Thanks for the help :)
wipfli
commented
2 years ago @thaddmt I turned on the dependabot security alerts. Can you see them on the front page?
wipfli
commented
2 years ago If you update lock files and dependencies, probably would be best to turn on dependabot for automatic pull requests once a month or so like we have in MapLibre GL JS: https://github.com/maplibre/maplibre-gl-js/blob/main/.github/dependabot.yml
thaddmt
commented
2 years ago @wipfli nothing shows up for me currently
wipfli
commented
2 years ago Now?
thaddmt
commented
2 years ago Yep can see it now! thanks!
thaddmt
commented
2 years ago
The project depends on
nanoidversion 2.0.1 which is affected by CVE-2021-23566.This is showing up in vulnerability scans of several packages that depend on yours. Would it be possible to update the dependency to
nanoid >=3.1.31?I've cloned the branch, updated the dependency to version
^3.2.0, and ran the tests and they're all passing so it should be a quick fix.If you could share the npm version used by this project I'd be happy to open a PR to do the update, I'm asking this because I don't want to break your current lock files as a result of the update.