Closed sikachu closed 2 years ago
The vulnerability isn't really relevant here, since this is all inside dev tools, which have no user input. This goes to the fundamental critique of the hamster wheel that yarn audit creates.
That said, don't mind the dependency upgrade, but I doubt we have good test coverage in this area, so probably need to either add that or validate by hand.
Sure thing. I can look into it.
Alternatively, I think #2802 actually remove this dependency and made it on-demand (i.e. it won't be used if it's not installed). Maybe we can also do something similar here as well, but I'm not sure if that would be appropriate for a minor/patch release change.
See comment on #3217. This can probably be resolved either by upgrading or using yarn resolutions.
This PR updates
optimize-css-assets-webpack-plugin
package to^6.0.1
.We need to update
optimize-css-assets-webpack-plugin
to version 6.0.1 or later as version 5.0.8 eventually resolves to install a vulnerable version ofnth-check
(1.0.2): https://github.com/advisories/GHSA-rp65-9cf3-cjxrYou can see the dependencies from this reconstructed dependency tree:
Updating
optimize-css-assets-webpack-plugin
to version 6.0.1 will update the dependency tree to look like this:I followed the instructions in CONTRIBUTING.md and got a green test suite on both
yarn test
andrake test
, so I don't think this will cause any issue.