Cut a new release to solve security issues in dependency chains

yeoman / yosay

Tell Yeoman what to say

BSD 2-Clause "Simplified" License

205 stars 43 forks source link

Cut a new release to solve security issues in dependency chains #34

Closed vpetkar closed 11 months ago

vpetkar commented 2 years ago

There are security vulnerabilities in ansi-regex <3.0.0. It appears that this has already been fixed on master, so all that is required is cutting a new release to npm.

dylanlan commented 1 year ago

We'd also be interested in this - we're running into the same vulnerability warning from Snyk.

We have considered trying to use a Yarn Resolution to indirectly upgrade the ansi-regex version that gets used: https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/

I'd be nice to just use a new version of this package instead, though.