Deprecation of v10.1.3

[achrinza]

Deprecation of v10.1.3

Subscribe to this issue to receive critical updates on this advisory.

Summary

Applies to:

• @achrinza/node-ipc@^10

Deprecated:

• @achrinza/node-ipc@10.1.3

Replacement:

• @achrinza/node-ipc@10.1.4

Description

Out of an abundance of caution, v10.1.3 have been deprecated in favor of v10.1.4 as they contained nested transient production dependencies that are managed by @/riaevangelist (The original author of node-ipc).

The offending transient development dependencies are:

• @achrinza/node-ipc@10.1.3
  • event-pubsub@5.0.3
    • 5.0.3
      • strong-type@^0.1.3
        • 0.1.3
          • node-http-server@^8.1.3
        • 0.1.4
          • node-http-server@^8.1.3
          • vanilla-test@^1.4.2
        • 0.1.5
          • node-http-server@*
          • vanilla-test@*
        • 0.1.6
          • node-http-server@*
          • vanilla-test@*
  • strong-type@^1.0.1
    - 1.0.1

v10.1.4 resolves this issue by switching event-pubsub to @achrinza/event-pubsub, which depends on pinned versions of node-http-server and vanilla-test, and pins the version of strong-type. There are no functional code changes in v9.2.2 and v10.1.3.

At the time of writing, we have no reason to believe that any of these dependencies had any malicious code. However, this may change in the future and we strongly recommend upgrading the v10 version range to ^10.1.4.

References

• chore: remove more @/riaevangelist transient deps #22