aframe icon indicating copy to clipboard operation
aframe copied to clipboard

Published 20 hours ago verified publisher icon aframevr

Update package.json shelljs dependabot Severity High 7.1 / 10

Open arpu opened this issue 1 year ago • 4 comments

dependabot

https://access.redhat.com/security/cve/cve-2022-0144

@dmarcos the shelljs is only used in the https://github.com/aframevr/aframe/blob/master/scripts/preghpages.js is this still used?

arpu avatar Mar 20 '24 19:03 arpu

Yeah it's used to deploy the examples. This is also a dev dependency. not bundled in the library

dmarcos avatar Mar 20 '24 20:03 dmarcos

dependabot do not like it :) i could not test it, but would be nice to include the update

arpu avatar Mar 20 '24 20:03 arpu

We gotta make sure there are no regressions. Also is a dev dependency that it's only used for A-Frame deployment. Pretty safe to ignore those warnings.

dmarcos avatar Mar 20 '24 22:03 dmarcos

i understand, but for some securty audits ( iso ) this is not allowed

arpu avatar Mar 20 '24 22:03 arpu