nick-keller
commented
2 years ago It also uses minimist@1.2.5 which has a critical security issue
Open bennycode opened 2 years ago
nick-keller
commented
2 years ago It also uses minimist@1.2.5 which has a critical security issue
AmirHussain93
commented
2 years ago It also uses shell-quote, could you please update it to the latest as soon as possible?
can anyone please look into this? @mysticatea @k88hudson @igor-toporet @forivall @pdehaan @quilicicf @yassh
quilicicf
commented
2 years ago I wish I could do something but I have no rights on that repository and my one and only PR never got merged :shrug: This repository hasn't seen a change since 2018 anyway, the maintainer probably doesn't receive the notifications anymore... So either we somehow manage to get @mysticatea to have a look (they seem to still be active on GitHub) or we might have to fork...
AmirHussain93
commented
2 years ago Hi @quilicicf, thanks for the quick reply. Is there any way to inform the owner other than GitHub?
leschdom
commented
2 years ago FYI: For time being we switched to https://www.npmjs.com/package/cpx-fixed mentioned in https://stackoverflow.com/questions/54996035/npm-copy-files-with-cpx-in-postinstall-script/59845967#59845967 - but of course it would be better when the "root" issue is addressed in this repository.
quilicicf
commented
2 years ago I do not know the author unfortunately, so I have no clue what the best channel is to reach them :-( They didn't share their email on GitHub but it looks like they have a Twitter account with the same handle as on GitHub. Might be worth it to try I guess.
douglasg14b
commented
6 months ago Sucks that it cant be taken over and community maintained, thus the JS ecosystem churns forward :(
cpx defines a lot of vulnerabile dependencies, such as:
Can you please update these deps? @mysticatea