You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The development of the BS dev dependency, ip package, seems to cease for good: https://github.com/indutny/node-ip
and (the package) it's now being flagged as a high issue during audit run when using NPM package manager: GHSA-2p57-rm9w-gvfp
that is not a problem with BS itself, but some white sourcing tolls are to mark setups as vulnerable, depending on configuration (I assume company where I work, this will happen on first clean install after cache in the pipeline is evicted with any package-lock.json update).
Solution:
remove ip dependency completely, it looks as being used only for Karma runner configuration when run in BrowserStack context (and this one is either localhost or run on the BrowserStack in-house CI tool). It looks BrowserStack action has been disabled anyway in BS
replace the lookup code with inline code or another dependency.
I assume removing ip lookup code and just using Karma configuration defaults (localhost) would be enough,
thanks!
note: not a security issue with BS itself, so the 'SECURITY' submission path was not used
Reduced test cases
n/a
What operating system(s) are you seeing the problem on?
macOS
What browser(s) are you seeing the problem on?
Safari
What version of Bootstrap are you using?
5.3.3
The text was updated successfully, but these errors were encountered:
Prerequisites
Describe the issue
The development of the BS dev dependency,
ip
package, seems to cease for good:https://github.com/indutny/node-ip
and (the package) it's now being flagged as a high issue during audit run when using NPM package manager:
GHSA-2p57-rm9w-gvfp
that is not a problem with BS itself, but some white sourcing tolls are to mark setups as vulnerable, depending on configuration (I assume company where I work, this will happen on first clean install after cache in the pipeline is evicted with any package-lock.json update).
Solution:
ip
dependency completely, it looks as being used only for Karma runner configuration when run in BrowserStack context (and this one is either localhost or run on the BrowserStack in-house CI tool). It looks BrowserStack action has been disabled anyway in BSI assume removing
ip
lookup code and just using Karma configuration defaults (localhost
) would be enough,thanks!
note: not a security issue with BS itself, so the 'SECURITY' submission path was not used
Reduced test cases
n/a
What operating system(s) are you seeing the problem on?
macOS
What browser(s) are you seeing the problem on?
Safari
What version of Bootstrap are you using?
5.3.3
The text was updated successfully, but these errors were encountered: