jonschlinkert
commented
5 years ago Isn't this an issue for snapdragon?
Closed medikoo closed 5 years ago
jonschlinkert
commented
5 years ago Isn't this an issue for snapdragon?
medikoo
commented
5 years ago Isn't this an issue for snapdragon?
Doesn't look like. Latest version of snapdragon (v0.12) is clean -> https://snyk.io/test/npm/snapdragon/0.12.0
Problem is that latest version v1.2.13 depends on outdated snapdragon@0.8
medikoo
commented
5 years ago I see it's fixed in master, so it's probably just a question of publishing new release (?)
doowb
commented
5 years ago @medikoo I'm looking into this and will have something published soon, thanks for the issue.
doowb
commented
5 years ago @medikoo everything should be patched and updated correctly now. Please install and let me know if you notice any more issues.
jonschlinkert
commented
5 years ago @doowb thanks for the fix! @medikoo thanks for creating the issue!
medikoo
commented
5 years ago Thanks @doowb still I don't see any new version published (?) Latest on npm is still 1.2.13 which shares the vulnerability
doowb
commented
5 years ago New patched versions of the affected dependencies in the tree were published. We couldn't just update nanomatch because it would take more refactoring due to changes in some of the dependencies.
You should be able to get the latest patched versions of all of the dependencies by forcing reinstalls (e.g. clearing caches and deleting lock files). Check out this short guide for more information.
medikoo
commented
5 years ago Ok, I see that old versions of mixin-deep and set-value where patched.
Still snyk.io reports them as vulnerable: https://app.snyk.io/test/npm/nanomatch/1.2.13 but I guess it's now an issue on snyk.io side
LinguineCode
commented
4 years ago Confirmed fixed.
I followed the guide in https://github.com/micromatch/nanomatch/issues/22#issuecomment-505480852, (basically rm -rf node_modules package-lock.json) and to my surprise, npm install brought in the correct version of set-value package.
I'm surprised because... I have no idea how this works without nanomatch cutting a new release. Magical 🦄
racinmat
commented
3 years ago Hi, it's been a year, is there a plan to release new version, so people who don't want to use deprecated libraries wouldn't have to run on master?
We're using nanomatch in serverless, and we were notified by some users that on snyk.io, nanomatch is marked as vulnerable due to dependencies it relies on -> https://app.snyk.io/test/npm/nanomatch/1.2.13