Open CarlKnox opened 4 years ago
I just updated to the latest patch versions of the dependencies. It seems that a transitive dependency of the vscode dependency is affected:
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vscode │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vscode > mocha > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 84 scanned packages
1 vulnerability requires manual review. See the full report for details.
(via npm audit
)
I looked into the report and I think its non critical and is not related to graphviz.
I'm challenged to get this working on my system. That's OK, as I've found efanzh.graphviz-preview (current only supports the DOT layout engine) to be more responsive and offer additional export options.
I don't get an advisory telling me which package is at fault, however, I suspect it has to do with graphviz since this isn't working for me. I'll let you know if I find anything.