You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some of the dependencies of alfy and friends seem to be a bit old, resulting in some dependabot alerts in my projects which use it:
alfy@1.0.0 requires plist@^2.0.1 (which has a "critical" security flaw) via a transitive dependency on {alfred-link@0.3.1,alfred-notifier@0.2.3}.`
alfy@1.0.0 requires got@^6.7.1 (which has a "moderate" security flaw) via a transitive dependency on package-json@4.0.1.
alfy@1.0.0 requires got@^12.0.3 (which has a "moderate" security flaw)
I doubt these dependencies are taking in direct user input or anything, but the alerts create noise which could hide real issues, so it'd be nice to get rid of them.
I'm using this workaround in my package.json to allow newer versions of those items and things seem to work just fine - I tested an npm install and verified the workflow installed into Alfred looked and worked fine and the dependabot alerts went away:
Hi!
Some of the dependencies of alfy and friends seem to be a bit old, resulting in some dependabot alerts in my projects which use it:
I doubt these dependencies are taking in direct user input or anything, but the alerts create noise which could hide real issues, so it'd be nice to get rid of them.
I'm using this workaround in my
package.json
to allow newer versions of those items and things seem to work just fine - I tested annpm install
and verified the workflow installed into Alfred looked and worked fine and the dependabot alerts went away:Would you be open to PRs to address? Happy to push something up, but certainly don't wait on me if you agree.
The text was updated successfully, but these errors were encountered: