-
-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-23362 in hosted-git-info
#204
Comments
@mysticatea Hi, any plans to update it? Is this project alive? |
read-pkg@6.0.0 fixes the issue |
Using
🤔 @mysticatea would you be interested in releasing a new breaking version of |
An attempt to fix the issue is here: #205 I have some issues with AppVeyor and am giving up for now. Any help would be appreciated! @mysticatea 🙏 |
Yes would be great to get this updated as we are having to move away from this package due to Snyk alerts |
@dtothefp which alternative have you been able to find? |
We can also hope this is true: import-js/eslint-plugin-import#2046 (comment) |
Version 2.8.9 of hosted-git-info is now marked as unaffected by the vulnerability! I just got a PR from Dependabot silencing the alert. |
We are using
npm-run-all
and are seeing this security alert since this morning: CVE-2021-23362. It is introduced via:npm-run-all@4.1.5
↓
read-pkg@3.0.0
↓
normalize-package-data@2.5.0
↓
hosted-git-info@2.8.8
Looks like upgrading
read-pkg
to^5.2.0
should be enough to fix the issue. I’m happy to submit a PR if @mysticatea is happy to cut a release afterwards.Meanwhile, we’ve added
"hosted-git-info": "^4.0.2"
topackage.json
→resolutions
.The text was updated successfully, but these errors were encountered: