Update simple-git to a secure version

smeijer / unimported

Find and fix dangling files and unused dependencies in your JavaScript projects.

MIT License

1.97k stars 71 forks source link

Update simple-git to a secure version #151

Closed LukaszGrela closed 1 year ago

LukaszGrela commented 1 year ago

We're using unimported with a success, thank you, but recently git dependabot alert reported an issue with the simple-git dependency.

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods due to improper sanitization... CVE-2022-25912.

Could you update the version of simple-git please?

smeijer commented 1 year ago

Can you please submit a pull-request?

smeijer commented 1 year ago

:tada: This issue has been resolved in version 1.29.1 :tada:

The release is available on:

npm package (@latest dist-tag)
GitHub release

Your semantic-release bot :package::rocket: