Describe the bug
=> Found "[email protected]"
info Reasons this module exists
- "_project_#mjml-core#cheerio#css-select" depends on it
https://avd.aquasec.com/nvd/cve-2021-33587/
Is it possible to update mjml packages to have css-what >= 5.0.1?
Looks like for this to fully work we need https://github.com/Automattic/juice package to update their dependencies also. But that can be done from juice side
Expected behavior
css-what to be 5.0.1 in yarn.lock file
MJML environment (please complete the following information):
- MJML Version - latest
dilumn
All 7 comments
According to this updating to [email protected] should do the trick.
Here is a pull request
pfmnzone
on 9 Jun 2021
please don't forget to publish :)
mashpie
on 11 Jun 2021
We'll do it in 4.9.x. It's not really that critical in MJML context.
iRyusa
on 11 Jun 2021
@iRyusa Thanks for info. Is there any eta on when you will release? Because, currently, some CI Pipelines fail and block due to that high CVE. If it takes some more time, I'd rather tend to monkey patch cheerio and/or css-what though resolutions in yarn than waiting too long for a release.
mashpie
on 11 Jun 2021
We'll see if we can get sometime around next week as we can't automate releases.
iRyusa
on 11 Jun 2021
This should be solved in 4.10.0, note that there's a dep issue with babel runtime you should regenerate your lockfile 馃憤 closing
iRyusa
on 21 Jun 2021
@iRyusa perfect time! I can confirm all working fine. Thanks a lot!
mashpie
on 21 Jun 2021
Related issues
csmcanarney
路
3Comments
samatcd
路
4Comments
zarikadzer
路
3Comments
fmauNeko
路
3Comments
rumbogs
路
3Comments
Most helpful comment
We'll see if we can get sometime around next week as we can't automate releases.