Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review minimist CVE issue #265

Open
repli2dev opened this issue Apr 10, 2022 · 1 comment
Open

Review minimist CVE issue #265

repli2dev opened this issue Apr 10, 2022 · 1 comment
Assignees
@tomvej

Comments

@repli2dev
Copy link
Contributor

https://github.com/datoszs/czech-lawyers/security/dependabot/91

Is it relevant to take the pain of upgrading through the dependency hell?
@tomvej
Copy link
Contributor

tomvej commented Apr 11, 2022

Very much depends (no pun indented). I'd try to avoid upgrading major versions when possible.

It will probably need analysis of whether the problem really affects us:

  1. Some vulnerabilities may not affect our code.
  2. Some vulnerabilities may only be in devDependencies, so they only affect the build (which may mean possibly leaking env variables but if we don't do builds ...).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomvej tomvej

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@repli2dev @tomvej