Closed dreamorosi closed 2 years ago
We're actually in a weird state where this package has a yarn.lock and a package-lock.json so we probably need to clean that up as well. Currently I am using npm v7. Thanks for the help :)
@thaddmt I turned on the dependabot security alerts. Can you see them on the front page?
If you update lock files and dependencies, probably would be best to turn on dependabot for automatic pull requests once a month or so like we have in MapLibre GL JS: https://github.com/maplibre/maplibre-gl-js/blob/main/.github/dependabot.yml
@wipfli nothing shows up for me currently
Now?
Yep can see it now! thanks!
The project depends on
nanoid
version 2.0.1 which is affected by CVE-2021-23566.This is showing up in vulnerability scans of several packages that depend on yours. Would it be possible to update the dependency to
nanoid >=3.1.31
?I've cloned the branch, updated the dependency to version
^3.2.0
, and ran the tests and they're all passing so it should be a quick fix.If you could share the npm version used by this project I'd be happy to open a PR to do the update, I'm asking this because I don't want to break your current lock files as a result of the update.