search

semantic-release / npm

:ship: semantic-release plugin to publish a npm package
MIT License
244 stars 114 forks source link

fix vulnerability with http-cache-semantics <4.1.0 #574

Closed ydekel6 closed 1 year ago

ydekel6 commented 1 year ago

The module http-cache-semantics which is coming from make-fetch-happen > from npm@8.19.3 has a high CVE: https://github.com/advisories/GHSA-rc47-6667-2j5j

Need to either push to newer npm@8 or npm@9 version

PythonCoderAS commented 1 year ago

There is no newer npm@8 version. I don't see why we need to be locked onto npm@8 either.

crudo commented 1 year ago

https://github.com/npm/cli/issues/6151

crudo commented 1 year ago

There is a new v8 version https://github.com/npm/cli/releases/tag/v8.19.4

travi commented 1 year ago

this should no longer be a problem