Jest: Jest 26.1.0 - Dependancies failing NPM audits

Created on 3 Jul 2020  ·  3Comments  ·  Source: facebook/jest

🐛 Bug Report

It seems the current lodash package that is the dependency of Jest is introducing nearly 3000 audit vulnerabilities

To Reproduce

Steps to reproduce the behavior:
Install jest and run an npm audit

Expected behavior

Jest passes npm audit

envinfo

System:
OS: macOS 10.15.5
CPU: (12) x64 Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz
Binaries:
Node: 12.16.3 - /usr/local/bin/node
Yarn: 1.22.4 - /usr/local/bin/yarn
npm: 6.14.4 - /usr/local/bin/npm
npmPackages:
jest: ^26.1.0 => 26.1.0
Bug Report Needs Repro Needs Triage
Source
picture justrayne
👍4

All 3 comments

This isn't really actionable by jest - this is the issue to watch: https://github.com/lodash/lodash/issues/4837

G-Rath picture G-Rath on 4 Jul 2020
👍1

Also, Jest doesn't depend on lodash, so there's at least one more layer between the lodash fix and us. Hopefully it'll all be within semver ranger, tho

SimenB picture SimenB on 4 Jul 2020
👍1

Sorry about just dumping that and running, have been kind of swamped this
week and hadn't considered that due to being preoccupied. Youbare
absolutely correct.

On Sat, Jul 4, 2020, 6:53 AM Simen Bekkhus notifications@github.com wrote:

Also, Jest doesn't depend on lodash, so there's at least one more layer
between the lodash fix and us. Hopefully it'll all be within semver ranger,
tho


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/facebook/jest/issues/10238#issuecomment-653751056,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ANC6DH2T3FSELQXW23Y54ITRZ4C3DANCNFSM4OP7GGXQ
.

justrayne picture justrayne on 4 Jul 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rosiakr picture rosiakr  ·  3Comments
mmcgahan picture mmcgahan  ·  3Comments
samzhang111 picture samzhang111  ·  3Comments
GrigoryPtashko picture GrigoryPtashko  ·  3Comments
emmby picture emmby  ·  3Comments