Closed Xotic750 closed 4 years ago
like many npm audit reports, this is a false positive, as eslint-find-rules isn’t long-running enough for this to be a problem.
Also mem and nodejs-mem are two different packages.
Ok, little confused here as to what github is on about?
ah, maybe it's just a poorly-written CVE explanation.
Either way, it's a false positive for this tool, and we'd have to update yargs to avoid it, which I suspect isn't worth the effort.
I understand the effort part. :) I was not overly concerned, but explain that to my manager. :D
I created a PR for a full dependency update: https://github.com/sarbbottam/eslint-find-rules/pull/308
All seems well with it, if you want to use it ;)
We can revisit updating yargs past v11 if node 4 is dropped in the future.
It's worth updating just to get rid of the false alarm for everybody who encounters it, who is currently forced to go investigate and waste a ton of time. I would suggest reopening.
A better solution would be to direct efforts towards CVE factories and warning mechanisms (npm audit, github's vuln alerts) to find ways to minimize false positives rather than forcing churn on maintainers.
@ljharb Not quite sure why you think this is a false positive, as the dependency is quite clear:
└─┬ eslint-find-rules@3.3.1
└─┬ yargs@8.0.2
└─┬ os-locale@2.1.0
└── mem@1.1.0
I'm assuming you consider it a FP b/c it's not directly on eslint-find-rules
, but instead one of its dependencies, but just want to ask in case I've missed something 🙂
That aside, since ESLint has now dropped Node4 support is there anything in particular that's keeping node@4 support around for you?
If it's a matter of time, I'm happy to do the bulk of the work if you'd be happy to review the PR 🙂 (also happy to wait until the new major of ESLint is released, so that node@8 support can be dropped at the same time)
@G-Rath it's a false positive not because it's not in the dep graph, but because the CVE does not affect eslint-find-rule's usage of yargs and thus mem.
eslint-find-rules
supports down to eslint 3; what eslint 6 has dropped isn't really relevant. There would need to be a very compelling reason to drop support of an old eslint, i think, and "there's a non-applicable audit warning" doesn't feel like one.
npm ls mem
shows: