Closed medikoo closed 5 years ago
Isn't this an issue for snapdragon?
Isn't this an issue for snapdragon?
Doesn't look like. Latest version of snapdragon (v0.12) is clean -> https://snyk.io/test/npm/snapdragon/0.12.0
Problem is that latest version v1.2.13 depends on outdated snapdragon@0.8
I see it's fixed in master, so it's probably just a question of publishing new release (?)
@medikoo I'm looking into this and will have something published soon, thanks for the issue.
@medikoo everything should be patched and updated correctly now. Please install and let me know if you notice any more issues.
@doowb thanks for the fix! @medikoo thanks for creating the issue!
Thanks @doowb still I don't see any new version published (?) Latest on npm is still 1.2.13 which shares the vulnerability
New patched versions of the affected dependencies in the tree were published. We couldn't just update nanomatch because it would take more refactoring due to changes in some of the dependencies.
You should be able to get the latest patched versions of all of the dependencies by forcing reinstalls (e.g. clearing caches and deleting lock files). Check out this short guide for more information.
Ok, I see that old versions of mixin-deep
and set-value
where patched.
Still snyk.io reports them as vulnerable: https://app.snyk.io/test/npm/nanomatch/1.2.13 but I guess it's now an issue on snyk.io side
Confirmed fixed.
I followed the guide in https://github.com/micromatch/nanomatch/issues/22#issuecomment-505480852, (basically rm -rf node_modules package-lock.json
) and to my surprise, npm install
brought in the correct version of set-value
package.
I'm surprised because... I have no idea how this works without nanomatch
cutting a new release. Magical 🦄
Hi, it's been a year, is there a plan to release new version, so people who don't want to use deprecated libraries wouldn't have to run on master?
We're using nanomatch in serverless, and we were notified by some users that on snyk.io, nanomatch is marked as vulnerable due to dependencies it relies on -> https://app.snyk.io/test/npm/nanomatch/1.2.13