Closed goldengecko closed 4 years ago
Duplicate of https://github.com/scijs/cwise/issues/19
@etpinard You are referring to an issue that is 2 years old, the PR ( https://github.com/scijs/cwise/pull/25 ) that is meant to fix the security vulnerability has had no meaningful update or discussion since Jul 25, 2019.
At this point I think it's fair to assume the vulnerability will not be fixed at cwise's side, and I suggest looking into alternatives.
Why is this issue closed? There are still security issues with cwise.
They may not cause direct issues with this repo, but at some point a non-maintained dependency with security issues should be fixed or replaced.
We're tracking this in https://github.com/plotly/plotly.js/issues/4796 now :)
To reproduce, install plotly.js in a project, and run
npm audit
.Expected outcome: no security issues. Actual outcome: reports an issue due to the version of static-eval linked to in the package. Fix: update the static-eval version to >= 2.0.2. See https://www.npmjs.com/advisories/758
There are 16 security alerts generated, but they all refer to the same issue, as shown in the attached image.