Update date-and-time #1538
Labels
api: storage
Issues related to the googleapis/nodejs-storage API.
priority: p2
Moderately-important priority. Fix may not be included in next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Subject of the issue
@google-cloud/storage@4.7.0 requires date-and-time@0.13.1, which has a security problem (see: CVE-2020-26289):
@google-cloud/storage@4.7.0 ➔ date-and-time@0.13.1
I do not know if this vulnerability actually affects @google-cloud/storage, but it will show up in security reports about dependencies. Since a large number of developers still use @google-cloud/storage@4.7.0(150,282 downloads per week), is there any posibility that you could release an update version for 4.7.* (ie 4.7.1) that introduces a patched version(>=0.14.2) of date-and-time?
In @google-cloud/storage@4.7.1, maybe you can perform the following update(not crossing major version):
date-and-time ^0.13.0 ➔ ^0.14.2
where date-and-time@0.14.2(>=0.14.2) has fixed the vulnerability CVE-2020-26289.
Thank you for your help.^_^
The text was updated successfully, but these errors were encountered: