This PR updates the package.json file so that dependencies that in turn have outdated dependencies are upgraded to address critical vulnerabilities.
Three packages are proposed to be updated to their latest versions, and one dependency override is used since the package at issue has not been updated in 8 years.
Packages upgraded:
"conventional-changelog-writer": "^5.0.1"
"git-url-parse": "^14.0.0",
"jimp": "^0.22.12",
Override implemented:
"minimist": "^1.2.6" - Snyk scan - to note: yarn audit flags this dependency (versions older) as having a critical vulnerability - snyk doesn't mark it as high
Breaking changes
Breaking changes are prevalent in the updated packages.
This PR updates the
package.json
file so that dependencies that in turn have outdated dependencies are upgraded to address critical vulnerabilities.Three packages are proposed to be updated to their latest versions, and one dependency override is used since the package at issue has not been updated in 8 years.
Packages upgraded:
Override implemented:
Breaking changes
Breaking changes are prevalent in the updated packages.
jimp
Release notes
fetch
in v0.22.0git-url-parse
Release notes
conventional-changelog-writer
Release notes
From what I understand Version
5.0.1
addresses the vulnerability and has the following breaking changes:Version
7.0.1
introduces the following breaking changes:Out of scope
Vulnerabilities marked
low
,moderate
andhigh
were ignored for now - just focused on thecritical
ones.Yarn audit results
After these updates and running a
yarn install
these are theyarn audit
results: