browserslist dependency pops up as MEDIUM vulnerability in whitesource

[armandorod2000]

Hi,

I recently created this ticket which was closed and I'm trying to understand what is going on. I hope somebody can share his opinion :-)

In a project I'm using a dependency to nestjs-cli v7.6.0. This version has a dependency to webpack v5.28.0 (https://github.com/nestjs/nest-cli/blob/7a286498b917d95630ce5a0b969bc0fed04d0b80/package.json#L65). Then webpack v5.28.0 has a dependency to browserslist "^4.14.5" (https://github.com/nestjs/nest-cli/blob/7a286498b917d95630ce5a0b969bc0fed04d0b80/package.json#L65). If I'm not mistaking and according to semver, it should install browserslist v4.16.6 but it end up installing browserlist v4.16.3 which is spotted as a MEDIUM vulnerability by whitesource scan (https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-23364). Does somebody know why?

Thanks

[alexander-akait]

rm -rf package-lock.json && npm install, you need update transitive deps

[armandorod2000]

I did not pay attention to the package-lock.json... after deleting it and running npm i finally the latest version of browserlist was installed. It looks like the file package-lock.json was pushed to the GitHub repository and it got out of sync at some point in time.

Thanks again @alexander-akait :-)