Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot issue (conflicting dependencies) #294

Closed
roughnecks opened this issue Sep 27, 2022 · 1 comment
Closed

Dependabot issue (conflicting dependencies) #294

roughnecks opened this issue Sep 27, 2022 · 1 comment
Labels
wontfix

Comments

@roughnecks
Copy link

Hello,

I'm trying to fix a dependabot issue on a repository of mine:

Dependabot cannot update nth-check to a non-vulnerable version
The latest possible version that can be installed is 1.0.2 because of the following conflicting dependencies:

steamcommunity@3.44.2 requires nth-check@~1.0.1 via a transitive dependency on css-select@1.2.0
steam-tradeoffer-manager@2.10.5 requires nth-check@~1.0.1 via a transitive dependency on css-select@1.2.0
No patched version available for nth-check
The earliest fixed version is 2.0.1.

Can you help to fix this ^ ?

Thanks
@DoctorMcKay
Copy link
Owner

nth-check is a dependency of css-select, which is a dependency of cheerio@0.22.0. cheerio has not yet released a stable version newer than 0.22.0, so there's no way to upgrade its dependencies.

The vulnerability in question is not really an issue in this case, since cheerio isn't parsing any untrusted user input in this module (just html from steamcommunity.com).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DoctorMcKay @roughnecks