Closed jackwhelpton closed 5 months ago
I had a look at https://www.npmjs.com/package/acorn-import-assertions and https://www.npmjs.com/package/acorn-import-attributes: as far as I can tell, this seems to be a legitimate change of package name, still controlled by the same maintainer.
Yeah, the rename of the module is because the proposal for the spec was renamed.
Any chance of a rough ETA for getting this reviewed/in, a new version cut and dd-trace-js
updated? Our security folks are pushing us on this one and I'd like to be able to give them a rough guide on how long it'll take us to mitigate.
Would you like me to update package.json
to 1.7.4
in this branch, or is versioning/tagging/publishing handled separately?
This dependency appears to have been renamed since 1.9.0: observe that github.com/xtuc/acorn-import-assertions redirects to https://github.com/xtuc/acorn-import-attributes.
In 1.9.2 a security vulnerability was addressed (fully qualifying a package reference to prevent a confusion attack), which is being introduced into our codebase via this repo (by way of
dd-trace
).Validated that all current tests still pass with this update.