yet another high severity vulnerability in the nested deps #2182

a-x- · 2019-07-10T10:17:28Z

ava -> update-notifier -> ... -> deep-extend

Update please the update-notifier

The text was updated successfully, but these errors were encountered:

novemberborn · 2019-07-10T10:42:01Z

Presumably however deep this dependency is installed, given that the fix is in a patch release it will be pulled in when you re-install your dependencies. But also, given that this is not a direct dependency of AVA, and not even a direct dependency of update-notifier, there is nothing we can do about this here. And finally, given that both AVA and update-notifier run during development rather than in your server, the kind of vulnerability described here simply will not affect you.

Assessing vulnerability reports is not easy, but there's no need to open these kinds of issues.

a-x- · 2019-07-12T13:54:59Z

you can pin specific version into package-lock.json

the kind of vulnerability described here simply will not affect you

yes, I know it, i disabled this report

but there's no need to open these kinds of issues

hm, okaaaay...

novemberborn closed this as completed Jul 10, 2019

novemberborn mentioned this issue Jul 15, 2019

Vulnerabilities? #2188

Closed

jimmywarting mentioned this issue Jun 13, 2021

consider removing update-notifier? #2767

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

yet another high severity vulnerability in the nested deps #2182

yet another high severity vulnerability in the nested deps #2182

a-x- commented Jul 10, 2019

novemberborn commented Jul 10, 2019

a-x- commented Jul 12, 2019 •

edited

Loading

yet another high severity vulnerability in the nested deps #2182

yet another high severity vulnerability in the nested deps #2182

Comments

a-x- commented Jul 10, 2019

novemberborn commented Jul 10, 2019

a-x- commented Jul 12, 2019 • edited Loading

a-x- commented Jul 12, 2019 •

edited

Loading