Include standard changelog as a dev dependency

remarkjs / remark-react

Deprecated plugin to transform to React — please use `remark-rehype` and `rehype-react` instead

524 stars 37 forks source link

Include standard changelog as a dev dependency #52

Closed ChristianMurphy closed 6 years ago

ChristianMurphy commented 6 years ago

Resolves a security alert message when including remark-react as a dependency

✗ Low severity vulnerability found on lodash@3.10.1
- desc: Prototype Pollution
- info: https://snyk.io/vuln/npm:lodash:20180130
- from: remark-react@4.0.1 > standard-changelog@0.0.1 > conventional-changelog-core@0.0.2 > conventional-commits-parser@0.1.2 > lodash@3.10.1
No direct dependency upgrade can address this issue.

davidtheclark commented 6 years ago

Thanks, @ChristianMurphy! I had quietly incorporated this change into https://github.com/mapbox/remark-react/pull/51/files#diff-b9cfc7f2cdf78a7f4b91a753d10865a2 while adjusting dependencies, so this is already handled in master. I'll try to cut a release with the fix soon!

ChristianMurphy commented 6 years ago

Thanks @davidtheclark!