erunion
commented
2 years ago @sindresorhus Can you update latest-version in the 5.x tag series as well? There are a lot of packages out here that are using it and can't just upgrade to ESM.
Closed danepowell closed 2 years ago
erunion
commented
2 years ago @sindresorhus Can you update latest-version in the 5.x tag series as well? There are a lot of packages out here that are using it and can't just upgrade to ESM.
ryanblock
commented
2 years ago Since ensuring the safety and security of developers who cannot change to ESM has not been a priority for this project, I've created a fork here: https://www.npmjs.com/package/update-notifier-cjs
No meaningful logic changes have occurred to this library since making the change to ESM; this forked version is just 5.x, but with with two other Sindre dependencies vendored so as to enable making use of the got patch that addresses CVE-2022-33987.
This package should update its dependency on
latest-versionto at leastv6.0.0to fix a downstream vulnerability ingot. See https://github.com/remy/nodemon/issues/2023 for details.