You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a transitive prod dependency in this package that is seen as a security vulnerability by some tools. Please update to concurrently@5.0.1 to resolve. I have a PR for this.
>npm ls execa --prod
@nestjs/ng-universal@2.0.1
`-- concurrently@5.0.0
`-- yargs@12.0.5
`-- os-locale@3.1.0
`-- execa@1.0.0 <-- this is the offending package
Expected behavior
>npm ls execa --prod
@nestjs/ng-universal@2.0.2
`-- (empty)
Minimal reproduction of the problem with instructions
npm ls execa --prod
What is the motivation / use case for changing the behavior?
I work in an enterprise which uses SonarQube. This tool has found execa to be security vulnerability when in included in prod dependencies. concurrently is typically meant to be used as a devDependency so if this were the case, my tool would not have a problem here.
Through some light digging and reading the output of npm ls, I found that os-locale (and therefore execa) was removed in a later version of yargs. I submitted the PR to concurrently to use later yargs.
Environment
Any
Nest version: 2.0.1
For Tooling issues:
- Node version: 12.13.1
- Platform: Windows
- npm 6.12.1
The text was updated successfully, but these errors were encountered:
I'm submitting a...
Current behavior
There is a transitive prod dependency in this package that is seen as a security vulnerability by some tools. Please update to concurrently@5.0.1 to resolve. I have a PR for this.
Prior art: https://github.com/kimmobrunfeldt/concurrently/issues/204
Before updating (on master):
Expected behavior
Minimal reproduction of the problem with instructions
npm ls execa --prod
What is the motivation / use case for changing the behavior?
I work in an enterprise which uses SonarQube. This tool has found execa to be security vulnerability when in included in prod dependencies. concurrently is typically meant to be used as a devDependency so if this were the case, my tool would not have a problem here.
Through some light digging and reading the output of
npm ls
, I found that os-locale (and therefore execa) was removed in a later version of yargs. I submitted the PR to concurrently to use later yargs.Environment
Any
The text was updated successfully, but these errors were encountered: