Closed Ilshidur closed 6 years ago
You can update also with 2.6.9, please do it, is pretty simple takes two seconds and will save a lot of tests from failing
@b4dnewz I am not the author of the PR I linked. I guess @lisong could do it.
actually @maxogden is the one who can solve this issue by updating the package.json file
maybe the author is CEO now,no time to read github,haha~~
guys.. I don't want to bore anyone, but how can this be resolved if the author has not time to update the module?
I mean this package extract-zip is a dependency of phantomjs and the security check complain for the path:
phantom@4.0.5 > phantomjs-prebuilt@2.1.15 > extract-zip@1.6.5 > debug@2.2.0
PhantomJs is a big project and both phantom and phantomjs-prebuilt has a lot of dependants and a massive download number per day.
So I assume every of this project is vulnerable and possibly is not building correctly, if a security check is made before the tests.
read him profile,it is said recruiters: dont email me if I dont respond to your PR you should send me a DM on twitter you can contact him on Twitter @b4dnewz
Fixed by https://github.com/maxogden/extract-zip/commit/94b877a54dfaac8ada949cf385afb41fa0102099. Thanks for your patience.
Great job. Thanks @malept :tada:
Some dependencies need to be updated because of vulnerability purposes :
The current
extract-zip
version is vulnerable to ReDoS exploits because of thedebug@2.2.0
package, according to Snyk.All underlying packages using this version are marked as vulnerable. e.g. with ungit : .
It would be nice to at least update the debug package to version 2.6.7, where the maintainers fixed the issue.
EDIT : will be solved when the PR https://github.com/maxogden/extract-zip/pull/47 is merged