serverless-dynamodb-local
serverless-dynamodb-local copied to clipboard
99x
Fix npm published version number
Actual Behaviour
If you run npm audit
$ npm audit
=== npm audit security report ===
# Run npm install --save-dev [email protected] to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node.extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-dynamodb-local [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless-dynamodb-local > dynamodb-localhost > rmdir > │
│ │ node.flow > node.extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/781 │
└───────────────┴──────────────────────────────────────────────────────────────┘
It advises you to instal:
npm install --save-dev [email protected]
Expected Behaviour
It should offer to install the verson 0.2.37 as that is the latest version of the package. This is because npm registry version has 1.0.0, 1.0.1 and 1.0.2 version published 3 years ago.
Steps to reproduce it
run npm audit
Would you like to work on the issue?
May be, it require npm publish access to fix this issue.
Potential options:
- Depricate npm releases
1.0.0,1.0.1and1.0.2. - Release a new version
1.2.38
I know that option 2 is against how semver works. In this case publishing those 1.x version has lead to this issue. However this will set things on the right track for future releases. Essentially you are doing a fake release to realign semver releases.
@rehrumesh Is anyone going to address this? We've been affected by this due to npm audit fix too.
I think going to 1.2.38 would make the most sense.
