TANGRAM VERSION:
Tangram version: 0.21.1
The js-yaml fork used in Tangram has high severity security vulnerabilities according to npm audit. That makes it difficult to use Tangram in any kind of enterprise product. Is it possible to update js-yaml to version 3.13.1 or later?
ENVIRONMENT:
macOS 10.15.7
TO REPRODUCE THE ISSUE, FOLLOW THESE STEPS:
Add Tangram as a dependency to your project. Run npm audit (or yarn audit)
RESULT:
js-yaml <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
EXPECTED RESULT:npm audit should not find vulnerabilities related to Tangram.
cluen
commented
6 months ago
TANGRAM VERSION: Tangram version: 0.21.1 The js-yaml fork used in Tangram has high severity security vulnerabilities according to
npm audit. That makes it difficult to use Tangram in any kind of enterprise product. Is it possible to update js-yaml to version 3.13.1 or later?ENVIRONMENT: macOS 10.15.7
TO REPRODUCE THE ISSUE, FOLLOW THESE STEPS: Add Tangram as a dependency to your project. Run
npm audit(oryarn audit)RESULT:
EXPECTED RESULT:
npm auditshould not find vulnerabilities related to Tangram.