Security Vulnerabilities with globby, pacote and conventional-changelog-core versions #2579
Comments
|
Most likely the problem with updating |
|
Any updates on when this issue might get resolved? We'd like to use lerna for our current project, but, Nexus is flagging and quarantining lerna. We tried going a few minor and at least one major version back, but, to no avail. Note, the latest version, |
|
Hi Folks 👋 You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details). Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves. In order to take this awesome project forward from its current state, it is important that we focus our finite resources on what is most important to lerna users in 2022. With that in mind, we have identified this issue as being potentially stale due to its age and/or lack of recent activity. Next steps: We want to give you some time to read through this comment and take action per one of the steps outlined below, so for the next 14 days we will not make any further updates to this issue. @vic-nik as the original author of this issue, we are looking to you to update us on the latest state of this as it relates to the latest version of lerna. Please choose one of the steps below, depending on what type of issue this is:
If we do not hear from @vic-nik on this thread within the next 14 days, we will automatically close this issue. If you are another user impacted by this issue but it ends up being closed as part of this process, we still want to hear from you! Please simply head over to our new issue templates and fill out all the requested details on the template which applies to your situation: https://github.com/lerna/lerna/issues/new/choose Thank you all for being a part of this awesome community, we could not be more excited to help move things forward from here 🙏 🚀 |
|
Hi Folks, following on from the note above, looking at this issue specifically the relevant packages have all since been patched and there are no such audit warnings when using our latest v5 packages we released since we took over. Many thanks again! |
The current versions of the following npm packages have security vulnerabilities. Can you please upgrade them to the latest version?
The vulnerable packages in dependecy tree are:
kind-of v. < 6.0.3
minimist v. < 0.2.1
Below are related dependency trees:
-- lerna@3.20.2 +-- @lerna/add@3.20.0 |-- @lerna/command@3.18.5|
-- clone-deep@4.0.1 | +-- kind-of@6.0.3 |-- shallow-clone@3.0.1|
-- kind-of@6.0.3 deduped-- @lerna/create@3.18.5-- globby@9.2.0-- fast-glob@2.2.7-- micromatch@3.1.10 +-- braces@2.3.2 | +-- fill-range@4.0.0 | |-- is-number@3.0.0| |
-- kind-of@3.2.2 |-- snapdragon-node@2.1.1| +-- define-property@1.0.0
| |
-- is-descriptor@1.0.2 | | +-- is-accessor-descriptor@1.0.0 | | |-- kind-of@6.0.3 deduped| | +-- is-data-descriptor@1.0.0
| | |
-- kind-of@6.0.3 deduped | |-- kind-of@6.0.3 deduped|
-- snapdragon-util@3.0.1 |-- kind-of@3.2.2+-- define-property@2.0.2
|
-- is-descriptor@1.0.2 | +-- is-accessor-descriptor@1.0.0 | |-- kind-of@6.0.3 deduped| +-- is-data-descriptor@1.0.0
| |
-- kind-of@6.0.3 deduped |-- kind-of@6.0.3 deduped+-- extglob@2.0.4
|
-- define-property@1.0.0 |-- is-descriptor@1.0.2| +-- is-accessor-descriptor@1.0.0
| |
-- kind-of@6.0.3 deduped | +-- is-data-descriptor@1.0.0 | |-- kind-of@6.0.3 deduped|
-- kind-of@6.0.3 deduped +-- kind-of@6.0.3 deduped +-- nanomatch@1.2.13 |-- kind-of@6.0.3 deduped-- snapdragon@0.8.2 +-- base@0.11.2 | +-- cache-base@1.0.1 | | +-- has-value@1.0.0 | | |-- has-values@1.0.0| | |
-- kind-of@4.0.0 | |-- to-object-path@0.3.0| |
-- kind-of@3.2.2 | +-- class-utils@0.3.6 | |-- static-extend@0.1.2| |
-- object-copy@0.1.0 | |-- kind-of@3.2.2|
-- define-property@1.0.0 |-- is-descriptor@1.0.2| +-- is-accessor-descriptor@1.0.0
| |
-- kind-of@6.0.3 deduped | +-- is-data-descriptor@1.0.0 | |-- kind-of@6.0.3 deduped|
-- kind-of@6.0.3 deduped-- define-property@0.2.5-- is-descriptor@0.1.6 +-- is-accessor-descriptor@0.1.6 |-- kind-of@3.2.2+-- is-data-descriptor@0.1.4
|
-- kind-of@3.2.2-- kind-of@5.1.0-- lerna@3.20.2 +-- @lerna/add@3.20.0 |-- @evocateur/pacote@9.6.5|
-- mkdirp@0.5.1 |-- minimist@0.0.8+-- @lerna/create@3.18.5
|
-- @lerna/child-process@3.16.5 |-- strong-log-transformer@2.1.0|
-- minimist@1.2.0-- @lerna/version@3.20.2-- @lerna/conventional-commits@3.18.5 +-- conventional-changelog-core@3.2.3 | +-- conventional-changelog-writer@4.0.11 | |-- handlebars@4.7.2| |
-- optimist@0.6.1 | |-- minimist@0.0.8 deduped| +-- get-pkg-repo@1.4.0
| |
-- meow@3.7.0 | |-- minimist@1.2.0| +-- git-raw-commits@2.0.0
| |
-- meow@4.0.1 | |-- minimist@1.2.0|
-- git-semver-tags@2.0.3 |-- meow@4.0.1|
-- minimist@1.2.0-- conventional-recommended-bump@5.0.1-- meow@4.0.1-- minimist@1.2.0lerna --versionnpm --versionnode --versionThe text was updated successfully, but these errors were encountered: