npm-check icon indicating copy to clipboard operation
npm-check copied to clipboard

Published 20 hours ago verified publisher icon dylang

meow package security error

Open simlevesque opened this issue 3 years ago • 4 comments

Hi, one of npm-check's dependencies had a security update 10 hours ago.

This depencency is meow, version 10.0.1 fixes the problem by updating it's dependency on trim-newlines to 4.0.1 that fixes the root issue.

https://www.npmjs.com/package/meow?activeTab=versions

simlevesque avatar Jun 08 '21 17:06 simlevesque

FWIW, upgrading meow to at least v6.0.0 should also fix the warning, in case any earlier major versions are easier to upgrade to. v6.0.0 changes the trim-newlines version range to ^3.0.0, which should upgrade you to trim-newlines v3.0.1 (which also has the fix) when you upgrade meow.

npm audit results

Here are meow's release notes, so you can review breaking changes as you upgrade.

And in the meantime, meow's developer said that the trim-newlines vulnerability doesn't affect meow (https://github.com/sindresorhus/meow/pull/185#issuecomment-856523895), but I don't know if that only applies to meow v10, and it would still be nice to get rid of that npm audit warning, besides.

TyMick avatar Jul 10 '21 18:07 TyMick

npm said their last publish was a year ago, do we know if they are still working on this project?

ghost avatar Jul 30 '21 14:07 ghost

Oh, good point. Last commit in this repo was Feb 2020 as well, and 179 open issues is a lot for a relatively small project... Bummer.

TyMick avatar Jul 30 '21 15:07 TyMick

A new version has been released since ! (nov 2021) and latest commit dates to early 2022.

JeanMeche avatar Apr 13 '22 11:04 JeanMeche