mmomtchev
commented
9 months ago This is used only during the unit testing, it is not a production mode package
Open scottjones4 opened 9 months ago
mmomtchev
commented
9 months ago This is used only during the unit testing, it is not a production mode package
scottjones4
commented
9 months ago From reading through everything that I can about the error it is coming from the inclusion of @mapbox/node-pre-gyp from the includes in gdal-async is listed as ^1.0.8. In looking into the mapbox/node-pre-gyp it appears that they have fixed the issue in there 1.0.11 version. For some reason either trying to update our imports or remove gdal-async and reinstall it will only pull in 1.0.9 version. So the error is still be reported back. I don't know if the includes could be updated to the 1.0.11 version which has be patched. I don't know there other changes that would not be possible. I don't think it is a problem on my side why it does not seem to be pulling the latest I have tried updating to the latest node version but still get the problem.
In execution of the npm audit functionality reporting error in version of semver that gdal-async is using.
│ Moderate │ semver vulnerable to Regular Expression Denial of Service │ │ Package │ semver │ │ Patched in │ >=6.3.1 │ │ Dependency of │ gdal-async │ │ Path │ gdal-async > @mapbox/node-pre-gyp > make-dir > semver │ │ More info │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │
I this could be upgraded to a patched version.