You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details).
Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves.
We hope you will continue to be a part of this community as we look to take things forward from here!
Please see #3140 for more details on our plans for 2022.
In the case of this specific issue, we already addressed the outdated dependencies mentioned here as part of our v5 release of lerna.
Expected Behavior
When lerna@3.x is used, it's dependencies used should not be linked in a CVE.
Current Behavior
The lerna@3.x uses vulnerable version of
ssri@6.0.1
mentioned in CVE GHSA-vx3p-948g-6vhqPossible Solution
Bump
ssri
to^8.0.0
in 3.x release line similar to 41729b4 in 4.xSteps to Reproduce (for bugs)
Create a project which uses lerna@3.x
lerna.json
N/A
Context
I'm trying to remove dependabot alerts in my project which consumes lerna@3.x
Your Environment
lerna --version
npm --version
yarn --version
node --version
The text was updated successfully, but these errors were encountered: