browserslist dependency pops up as MEDIUM vulnerability in whitesource #13676
-
Hi, I recently created this ticket which was closed and I'm trying to understand what is going on. I hope somebody can share his opinion :-) In a project I'm using a dependency to nestjs-cli v7.6.0. This version has a dependency to webpack v5.28.0 (https://github.com/nestjs/nest-cli/blob/7a286498b917d95630ce5a0b969bc0fed04d0b80/package.json#L65). Then webpack v5.28.0 has a dependency to browserslist "^4.14.5" (https://github.com/nestjs/nest-cli/blob/7a286498b917d95630ce5a0b969bc0fed04d0b80/package.json#L65). If I'm not mistaking and according to semver, it should install browserslist v4.16.6 but it end up installing browserlist v4.16.3 which is spotted as a MEDIUM vulnerability by whitesource scan (https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-23364). Does somebody know why? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Beta Was this translation helpful? Give feedback.
rm -rf package-lock.json && npm install
, you need update transitive deps