Explicit versions prevent fixing npm vulnerabilities

webpro / dyson

Node server for dynamic, fake JSON.

837 stars 62 forks source link

Explicit versions prevent fixing npm vulnerabilities #110

Closed m3fawner closed 3 years ago

m3fawner commented 3 years ago

Lodash 4.17.20 has a reported vulnerability addressed in version 4.17.21, however, as a result of explicitly requiring 4.17.20 in Dyson, we can't effectively address the vulnerability.

Would you be against having all of the packages have the appropriate semantic modifiers?

webpro commented 3 years ago

Good idea, I've just published v4 (major bump because of Node.js v10).

m3fawner commented 3 years ago

Thank you!