Skip to content
This repository has been archived by the owner on Jun 27, 2019. It is now read-only.

Update transitive dependencies, fix vulnerability #25

Closed

Conversation

roschaefer
Copy link
Contributor

Vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

rm yarn.lock
yarn install

There is currently no way to update single transitive dependencies
see: yarnpkg/rfcs#54

Vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

`rm yarn.lock`
`yarn install`

There is currently no way to update single transitive dependencies
see: yarnpkg/rfcs#54
The dependency manager of this repository is `yarn` not `npm`, so we
should only keep `yarn.lock` but not `package-lock.json` in order not to
confuse vulnerability scans of Github.
@appinteractive
Copy link
Member

We have to check if the new versions still are working. Also the build is failing currently.

@appinteractive
Copy link
Member

As this breaks the build for not known reason, we still wait for a proper resolution on this.

@appinteractive appinteractive added Help-Wanted Extra attention is needed dependencies Automated Updating machanism labels May 11, 2018
@appinteractive
Copy link
Member

Fixed with #63

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Automated Updating machanism Help-Wanted Extra attention is needed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants