devour-client icon indicating copy to clipboard operation
devour-client copied to clipboard
verified publisher icon devour-js

Resolve babel vulnerability

Open tijn opened this issue 1 year ago • 2 comments

What Changed & Why

  • Remove the deprecated istanbul pacakage
  • Install nyc

Dependabot reported a vulnerability in babel-traverse. This in itself is not an issue for this project since we're not compiling code that's specifically crafted by an attacker with it. However, while looking at package-lock-json I found out that the reason for installing babel-traverse is istanbul. And that package has been deprecated. This PR replaces istanbul with nyc.

Bug/Ticket Tracker

https://github.com/devour-js/devour-client/security/dependabot/26

Documentation

https://www.npmjs.com/package/istanbul

Third-Party

nyc - it was recommended by the author of istanbul as its replacement. It also has a permissible ISC license, functionally equivalent to the simplified BSD and MIT licenses.

tijn avatar Jun 26 '24 09:06 tijn

Is everything working like before? Do we need to adjust / update tests etc?

auvipy avatar Jun 26 '24 18:06 auvipy

Is everything working like before? Do we need to adjust / update tests etc?

@auvipy I looked for it but it seems there was no code directly calling istanbul. As far as I can see it just provided an executable that you can run to gather information about the code, and nyc (allegedly) does the same.

tijn avatar Jun 27 '24 08:06 tijn

@auvipy shall I merge this pull request?

tijn avatar Jul 31 '24 11:07 tijn