New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lerna uses version of dot-prop@4.2.0 which does not include recent security fix #2682
Comments
|
As best I can tell, since
edit: the release section says as much - aside from the node version - no breaking changes. |
@roboswank I'll try this. Thank you. |
@jimmyandrade Just edited my comment above, as I do believe that this is a yarn specific prop. For npm it looks like you can use something like |
Yes, I am using npm. Thank you for complementing your comment and sharing the resolution for npm. I'll try and check if it works. |
|
thanks for the solution @roboswank works for me |
Hi Folks 👋 You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details). Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves. We hope you will continue to be a part of this community as we look to take things forward from here! Please see #3140 for more details on our plans for 2022. In the case of this specific issue, it looks like the If you run into any issues on the latest version of lerna, please feel free to open a new issue and follow the instructions: Many thanks 🙏 |
Expected Behavior
Lerna has some packages that depend on the outdated version of the
dot-prop
package which does not include recent security fix.For example:
Result of the
npm ls dot-prop
:More info about vulnerabilities introduced here: https://npmjs.com/advisories/1213
Current Behavior
After running
npm audit
, results include vulnerabilities related to the outdateddot-prop
package which is a dependency of Lerna.Possible Solution
Update
dot-prop
package to at least>=5.1.1
- or the latest.Steps to Reproduce (for bugs)
npm audit
in the project root where lerna is installed.The text was updated successfully, but these errors were encountered: