Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update tsconfig-paths to latest fix #98

Closed
commit-master opened this issue Mar 23, 2022 · 8 comments · Fixed by #99
Closed

Update tsconfig-paths to latest fix #98

commit-master opened this issue Mar 23, 2022 · 8 comments · Fixed by #99

Comments

@commit-master
Copy link

Hi,

Thanks again for this wonderful package. A security vulnerability has been discovered for the minimist package. tsconfig-paths makes use of it, they have update their package to fix the issue. Could you be so kind and update this package to the latest fix?

More info here: GHSA-vh95-rmgr-6w4m
tsconfig-paths package.json: https://github.com/dividab/tsconfig-paths/blob/master/package.json

Thanks again.
@JounQin
Copy link
Collaborator

JounQin commented Mar 23, 2022
edited

We're using tsconfig-paths: "^3.9.0" which should cover the latest version, if you want to ensure the version of tsconfig-paths to be the latest, just reinstall eslint-import-resolver-typescript, you'll get it.

See also #86 (comment)

@JounQin JounQin closed this as completed Mar 23, 2022
@commit-master
Copy link
Author

Thanks for the quick reply.
I'm currently on v2.5.0 which seems to be the latest version.

tsconfig-paths@3.9.0 is using an old and vulnerable minimist dependency (see below)
https://github.com/dividab/tsconfig-paths/blob/287867d1140c14366f280910099938c5c0976f3c/package.json#L33

They just updated this vulnerability fix a few hours ago in the v3.14.1:
dividab/tsconfig-paths@22b9d74

Thanks.

@JounQin
Copy link
Collaborator

JounQin commented Mar 23, 2022
edited

Again, ^3.9.0 covers 3.14.1, just reinstall this package, pls.

@commit-master
Copy link
Author

This is very confusing.

Removing the package-lock and node modules and re-installing does not change anything since this is a sub-dependency. Am I missing something here ?

To me the best way to handle this would be updating your dependencies on this project and then running an npm update on my end.

I don't think you can currently update a sub-dependency on a project.

I'd be happy to submit a PR for this if you want.

@JounQin
Copy link
Collaborator

JounQin commented Mar 23, 2022

npm uninstall eslint-import-resolver-typescript && npm install -D eslint-import-resolver-typescript have you ever tried it? ^3.9.0 will resolve the latest version of tsconfig-paths on the new installation.

@commit-master
Copy link
Author

I did yes, as well as deleting node_modules and the package-lock.json. After running a npm audit the vulnerability is still flagged:

image

@JounQin JounQin reopened this Mar 23, 2022
JounQin added a commit that referenced this issue Mar 23, 2022
@JounQin
fix: upgrade (dev)Dependencies
f1b5620 
close #98
@JounQin JounQin mentioned this issue Mar 23, 2022
Merged
@JounQin
Copy link
Collaborator

JounQin commented Mar 23, 2022

@commit-master v2.6.0 released.

@commit-master
Copy link
Author

Thanks a lot !

@DavideBecker DavideBecker mentioned this issue Apr 1, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: upgrade (dev)Dependencies import-js/eslint-import-resolver-typescript
2 participants
@JounQin @commit-master