Closed pklingem closed 2 years ago
@maxogden tests are passing, any chance to merge this and bump the patch version so folks can clear up security vulnerabilities?
@maxogden friendly bump.
I haven't had time to maintain this lately, anyone else wanna help do releases + testing? @mafintosh is also a contributor
It's been over a year now and the dependency on pretty-bytes@^1.0.2 still produces a massive and completely unnecessary dependency tree for this module (and in turn any module which depends on nugget, eg electron through electron-download).
Please merge this!
@maxogden & @mafintosh Friendly bump #2 ... Please merge this.
@maxogden Friendly bump of this PR. There are still some packages that use this, and any time you use one of those packages you get an audit warning (and a dependabot warning on GitHub too).
I tried to fix this via npm audit fix
and by adding overrides (see npmjs.com) to the package.json of the project I'm working on and neither method was a solution.
This PR is probably the best method to resolve the vulnerability, as I believe most packages that depend on this package would upgrade almost immediately.
@maxogden @mafintosh Friendly bump too. Hope you'll see this! I just tried to reach out to Max on Twitter, just in case.
published 2.0.2 with this PR
pretty-bytes has a nth-level dependency with a security vulnerability (parse-json which vendors in unicode.js) bumping pretty-bytes significantly reduces the number of dependencies.
npm list results:
before:
after: