Outstanding Security Vulnerability via RC which is using an out of date INI version #535
Comments
|
I think node-pre-gyp can likely get away without using RC in a future release. So I may just go that direction: https://github.com/mapbox/node-pre-gyp/tree/remove-rc |
|
@springmeyer just checking in, any updates on this? |
Merged
|
Yes, node-pre-gyp upcoming v1.0.0 release will drop rc (#552) so this issue will be resolved |
|
@springmeyer do you know when the new v1.0.0 will be released? |
|
@motishani an alpha is already available. Try doing: |
|
@mapbox/[email protected] is now released, which solves this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Folks,
Node-pre-gyp uses RC, which in turn is using an out of date ini version with a high severity prototype pollution vulnerability: https://app.snyk.io/vuln/SNYK-JS-INI-1048974
It looks like RC hasn't been updated in some time and it's already been a few weeks (granted there were holidays), so I'm escalating the issue here in case folks can help. See RC issue 120 and RC resolved but unmerged PR 121.
A quick review does seem to show that Dominic was responsive in the past re minimist? (See RC pull 114 and RC pull 115; cf. #493)
Thanks
The text was updated successfully, but these errors were encountered: