Skip to content

fix: update union-value #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: update union-value #12

wants to merge 1 commit into from

Conversation

@scttcper
Copy link

avoid vulnerability from cache-base > union-value > set-value

https://www.npmjs.com/advisories/1012

@eXistenZNL eXistenZNL mentioned this pull request Jul 12, 2019
Closed
2 tasks
@andy-viv andy-viv mentioned this pull request Jul 12, 2019
Closed
@scttcper
Copy link
Author

this is no longer as annoying as it once was as seen in #13 but an upgrade would still be okay

@jonschlinkert
Copy link
Owner

this is no longer as annoying as it once was as seen in #13 but an upgrade would still be okay

Indeed! Sorry for the late reply and thank you for the PR! I'll get this merged ASAP!

@iveelsm
Copy link

iveelsm commented Aug 29, 2019

Any progress on this change? We have some security vulnerabilities we would like to address and it appears that this may holding us up.

@liddiard
Copy link

@jonschlinkert also following up on this. We're getting security vulnerability notifications from the old version of union-value used by this package (which is in turn using the vulnerable version of set-value). Could we get a new release with this package upgrade?

@cyberhck
Copy link

hello? can we get this merged?

@finppp finppp mentioned this pull request Jan 21, 2020
Open
@finppp
Copy link

finppp commented Jan 21, 2020

@jonschlinkert would it be possible to get this merged?

Many thanks,
Finlay

@cyberhck
Copy link

this package is probably no longer being maintained, last update was 2 years ago,

@doowb
Copy link
Collaborator

doowb commented Jan 26, 2020

This update isn't necessary due to the patches applied in the dependencies and the semver ranges used.

If you're still getting security warnings from another tool you use, this guide might help ensure you have the latest versions. After that, if you're still receiving notices, there's probably incorrect information for version ranges specified for the security tool.

We'll merge this PR when we have other changes to make in this library.

@thomasballinger
Copy link

I'm probably missing something here, but it seems to me that this PR would still be useful.
Without this PR,

  • cache-base requires "union-value": "^1.0.0" so union-value@2.0.1 does not fulfill this requirement. (the syntax ^1.0.0 allows 1.0.1 and 1.1.1, but not 2.0.0)
  • union-value@1.x.x requires "set-value": "^0.4.3" so set-value@2.0.1 does not fulfill this requirement. (the syntax ^0.4.3 allows 0.9.9 but not 2.0.1)

So it seems every published version of union-value still requires a set-value version which is triggering security tools.

@doowb
Copy link
Collaborator

doowb commented Mar 11, 2020

@thomasballinger union-value@1.0.0 was patched to use set-value@2.0.1 and bumped to union-value@1.0.1.

@scttcper scttcper closed this Mar 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@scttcper @jonschlinkert @iveelsm @liddiard @cyberhck @finppp @doowb @thomasballinger