Cli: [QUESTION] Possible to fix vulnerability issue related to dot-prop?

Created on 24 Jul 2020  路  2Comments  路  Source: npm/cli

What / Why

Anchore is reporting a vulnerability issue that is related to an old(<5.1.1) version of the dot-prop package.

I tried to trace the versions:
update-notifier depends on configstore which depends on dot-prop.

[email protected] uses [email protected] which uses [email protected] where the issue has been fixed.

Is it possible to fix this?

Question Release 6.x
Source
picture ziale
👍4

Most helpful comment

You'd have to file that on configstore's repo, and then on update-notifier's repo.

This repo is using update-notifier 2.5.0, and 4.1.0 would fix the issues. The other repos mentioned already using the fixed versions.

picture ziale on 27 Jul 2020
👍10

All 2 comments

You'd have to file that on configstore's repo, and then on update-notifier's repo.

ljharb picture ljharb on 24 Jul 2020
😕1

You'd have to file that on configstore's repo, and then on update-notifier's repo.

This repo is using update-notifier 2.5.0, and 4.1.0 would fix the issues. The other repos mentioned already using the fixed versions.

ziale picture ziale on 27 Jul 2020
👍10
Was this page helpful?
0 / 5 - 0 ratings

Related issues

1000i100 picture 1000i100  路  3Comments
OnkelTem picture OnkelTem  路  4Comments
DullReferenceException picture DullReferenceException  路  4Comments
MadhuriGurumurthy11 picture MadhuriGurumurthy11  路  3Comments
ahuglajbclajep picture ahuglajbclajep  路  3Comments