-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY: Depend on request@2.83.1 instead of 2.81.0 to mitigate vulnerability in transient dependency hoek@2.16.3 #86
Comments
Unfortunately this update is going to break any client on Node <= 4.x. I don't support those versions anymore but I won't be able to update I know these vulnerability warnings are kind of annoying, but Grant does not use anything from this dependency, so in fact this vulnerability is not affecting it. |
@manuelkiessling I've released v4.0 where I've dropped the Check out the Changelog before migrating. There is only one breaking change that may affect you. Let me know if you have any issues. |
I'm afraid I cannot test this directly, because grant is only a transient dependency for me - I depend on https://github.com/transloadit/uppy-server (see transloadit/uppy-server/issues/70). |
I see, I've sent an email to the uppy's maintainers, also I'll comment in their issue tracker. Migration to v4 should be pretty straightforward for them. |
hoek@2.16.3
has a vulnerability, which is fixed in newer version. You are currently not (transiently) getting the fixed version because you depend on an older version ofrequest
. Upgrading your dependency torequest2.83.1
should fix the problem.Here is the output of NSP:
The text was updated successfully, but these errors were encountered: