eclint latest eclint depends on vulnerable axios package

latest eclint depends on vulnerable axios package

Open dlouzan opened this issue 6 years ago • 2 comments

See https://nvd.nist.gov/vuln/detail/CVE-2019-10742

(fix/security-vulnerabilities= d4c870e)$ yarn why axios
yarn why v1.16.0
[1/4] 🤔  Why do we have the module "axios"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "eclint#gulp-reporter" depends on it
   - Hoisted from "eclint#gulp-reporter#axios"
info Disk size without dependencies: "432KB"
info Disk size with unique dependencies: "496KB"
info Disk size with transitive dependencies: "628KB"
info Number of shared dependencies: 4
✨  Done in 0.69s.

(fix/security-vulnerabilities= d4c870e)$ yarn list eclint
yarn list v1.16.0
warning Filtering by arguments is deprecated. Please use the pattern option instead.
└─ [email protected]
✨  Done in 0.64s.

May 30 '19 17:05 dlouzan

It would be nice to see dependabot setup for eclint

Jul 01 '19 20:07 zbeekman

PR #163 adds a dependabot config.yml but project authors/maintainers still need to enable it for the project & create dependabot account.

Jul 08 '19 18:07 zbeekman

eclint eclint copied to clipboard

latest eclint depends on vulnerable axios package

eclint
eclint copied to clipboard