chayev
commented
4 years ago Was this resolved? Or did you move this somewhere else? @zenlex
Closed zenlex closed 4 years ago
chayev
commented
4 years ago Was this resolved? Or did you move this somewhere else? @zenlex
zenlex
commented
4 years ago So I could be wrong - I’m fairly new to the whole package management /npm ecosystem....this was brought up by a security vulnerability thrown by the gatsby-cli related to dot-prop, update-notifier, configurable-store. When I tried to trace the problem there was an issue filed on one of the other packages that said the dependency issue landed here so I made the issue. When I took another look at the package.json file here though it looked like the version had already been updated to the recommended spec. That led me to think I had made an error in filing the issue so I closed it. If I’m correct it’s actually gatsby that now was behind on the update to the chain but again I’m new to this.
per https://npmjs.com/advisories/1213 dot-prop versions prior to 5.1.1 have a prototype pollution vulnerability. It has been patched >=5.1.1. config-store has been updated to the newer dot-prop version.