Open juliangrube1988 opened 11 months ago
https://github.com/advisories/GHSA-pfrx-2q88-qq97
unless i'm mistaken, it looks like there's actually a few packages here to sort out,
➜ npm audit
# npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @useoptic/optic@0.47.7, which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
@useoptic/optic >=0.36.6-0
Depends on vulnerable versions of latest-version
Depends on vulnerable versions of update-notifier
node_modules/@useoptic/optic
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
5 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
Will you create a new Release for this? Yesterdays version 0.50.12 does not include those changes
Hi, I just released 0.50.13
which includes this change
Thanks but the issue still persits with version 0.50.13:
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
@useoptic/optic >=0.36.6-0
Depends on vulnerable versions of update-notifier
node_modules/@useoptic/optic
5 moderate severity vulnerabilities
@juliangrube1988 please try 0.50.14,
➜ cat package.json
{
"dependencies": {
"@useoptic/optic": "^0.50.14"
}
}
➜ npm audit
found 0 vulnerabilities
Hey, sorry we had to revert these changes - the newer packages are ESM only, which we need to spend some time to figure out on how to support
Describe the bug Optic v0.50.10 depends on vulnerable version of
latest-version
.To Reproduce Steps to reproduce the behavior:
Expected behavior
latest-version
> 5.1.0Details (please complete the following information):