-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: upgrade @adobe/css-tools
to 4.3.1
to address vulnerability
#532
fix: upgrade @adobe/css-tools
to 4.3.1
to address vulnerability
#532
Conversation
@adobe/css-tools
to 4.3.1
to address vulnerability@adobe/css-tools
to 4.3.1
to address vulnerability
@nickmccurdy respectfully bumping since this is causing a an issue as a dependency of okta-signin-widget |
Bump? |
I don't see the point of this change. The existing dependency range will allow package consumers to update the transitive dependency version via |
@jgoz I think it's worth adding this change to ensure that consumers of this package are secure since 4.3.0 has a vulnerability, and it would be courteous to just bump the version up and keep this package reliable. |
Codecov Report
@@ Coverage Diff @@
## main #532 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 27 27
Lines 664 664
Branches 251 251
=========================================
Hits 664 664 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
🎉 This PR is included in version 6.1.4 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Merging since it's just a patch release which shouldn't have breaking changes. |
Thanks all! |
@justinbaltazar It looks like we need to push the min 4.3.2 based on the latest security patch per GH, not 4.3.1 - I can spin up a quick patch...
EDIT: Patch (#555) |
What:
This PR bumps the
@adobe/css-tools
dependency to 4.3.1Why:
There is an existing advisory on version
4.3.0
:GHSA-hpx4-r86g-5jrg
How:
Updated
package.json
.Checklist: