-
-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code injection security vulnerability at js-yaml #183
Comments
thanks for the report. I'll have time to take a look this weekend. It's the second security issue we've had with that library within a short time frame though, I'll probably check out alternative libraries while I'm at it. |
I might open up a PR for this one if there is a chance you can get it merged this week |
if your issue is time sensitive then you should fork the repo and depend on that in the meantime. I assume this issue will be addressed within the next couple weeks, but we can't promise anything. |
Removing the lock file and a clean install would pull in the latest version of |
Alright, here's what I found. js-yaml has three advisories raised on npm
Two of them are irrelevant to cosmiconfig because the risk was However because of the existence of I found two other yaml parsing libraries that seem reliable but neither support node v4 yaml requires v6+ (seems more actively maintained than yaml-js) Both libraries
Unfortunately I think we're stuck bumping js-yaml versions every time an advisory is raised for the |
Hi there,
Thanks for making cosmiconfig!
You have a dependency on
js-yaml@3.13.0
. Please see this report of a High severity vulnerability in this module.https://www.npmjs.com/advisories/813
The text was updated successfully, but these errors were encountered: