mixtur
commented
6 years ago I have no control over static-eval version. It is burried in transitive dependencies. All I can do is update spritesmith, but it is already at most recent version. Action must be first taken there https://github.com/scijs/cwise and then in every package before in that dependency chain up until webpack-spritesmith.
Yet I am not sure how that is a vulnerability. Code in this repository will not likely be executed in environment that can compromise something serious... I hope so. I am not a security specialist though.
Can you please consider upgrading static-eval to version >= 2.0.0 where this vulnerability is patched ?
Moderate Sandbox Breakout / Arbitrary Code Execution Package static-eval Patched in >=2.0.0 Dependency of webpack-spritesmith [dev] Path webpack-spritesmith > spritesmith > pixelsmith > ndarray-fill > cwise > static-module > static-eval More info https://nodesecurity.io/advisories/548