Security Issue with dot-prop and yargs-parser versions used #2575
Comments
|
Hi Folks 👋 You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details). Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves. In order to take this awesome project forward from its current state, it is important that we focus our finite resources on what is most important to lerna users in 2022. With that in mind, we have identified this issue as being potentially stale due to its age and/or lack of recent activity. Next steps: We want to give you some time to read through this comment and take action per one of the steps outlined below, so for the next 14 days we will not make any further updates to this issue. @Vishesh30 as the original author of this issue, we are looking to you to update us on the latest state of this as it relates to the latest version of lerna. Please choose one of the steps below, depending on what type of issue this is:
If we do not hear from @Vishesh30 on this thread within the next 14 days, we will automatically close this issue. If you are another user impacted by this issue but it ends up being closed as part of this process, we still want to hear from you! Please simply head over to our new issue templates and fill out all the requested details on the template which applies to your situation: https://github.com/lerna/lerna/issues/new/choose Thank you all for being a part of this awesome community, we could not be more excited to help move things forward from here 🙏 🚀 |
|
Hi @Vishesh30, following on from the note above, looking at this issue specifically the relevant packages have all since been patched and there are no such audit warnings when using our latest v5 packages we released since we took over. Many thanks again! |
The current version of the dot-prop npm package and yargs-parser package which is used is having security vulnerabilities and causing problems.
Below is dependency is tree for both package:-
xxxxxxx@ZZZM56584888A:~/Git/x<repo_name>$npm ls dot-prop
xxxxxx@0.1.0 /Users/xxxxxxx/Git/
└─┬ lerna@3.20.0
├─┬ @lerna/add@3.20.0
│ └─┬ @lerna/command@3.18.5
│ └─┬ @lerna/project@3.18.0
│ └── dot-prop@4.2.0
└─┬ @lerna/version@3.20.0
└─┬ @lerna/conventional-commits@3.18.5
└─┬ conventional-changelog-angular@5.0.6
└─┬ compare-func@1.3.2
└── dot-prop@3.0.0
xxxxxxx@ZZZM56584888A:~/Git/x<repo_name>$npm ls yargs-parser
xxxxxxx@0.1.0 /Users/xxxxxxx/Git/<repo-name
└─┬ lerna@3.20.0
├─┬ @lerna/cli@3.18.5
│ └─┬ yargs@14.2.3
│ └── yargs-parser@15.0.1
└─┬ @lerna/version@3.20.0
└─┬ @lerna/conventional-commits@3.18.5
└─┬ conventional-changelog-core@3.2.3
└─┬ conventional-changelog-writer@4.0.11
├─┬ handlebars@4.7.4
│ ├─┬ yargs@15.3.1
│ │ └── yargs-parser@18.1.3
│ └── yargs-parser@18.1.3 extraneous
└─┬ meow@5.0.0
└── yargs-parser@10.1.0
Can please update the version of these dependencies as these contain security vulnerability.?
lerna --versionnpm --versionnode --version| OS | Version |
| macOS Sierra | 10.12.3 |
The text was updated successfully, but these errors were encountered: