union-value icon indicating copy to clipboard operation
union-value copied to clipboard

Published 20 hours ago verified publisher icon jonschlinkert

Fix security vulnerability by upgrading lib

Open dchambers opened this issue 5 years ago • 5 comments

Fixes CVE-2019-10747:

  • https://nvd.nist.gov/vuln/detail/CVE-2019-10747

dchambers avatar Oct 02 '19 10:10 dchambers

@jonschlinkert this is urgent, please merge when you can

RDIL avatar Nov 15 '19 16:11 RDIL

Please fix this Thanks

finppp avatar Jan 21 '20 13:01 finppp

Thanks for the PR, but this isn't necessary. 3.0.1 is automatically used by semver. I will merge when we have other changes to make on this library.

jonschlinkert avatar Jan 21 '20 13:01 jonschlinkert

Thanks for the PR, but this isn't necessary. 3.0.1 is automatically used by semver. I will merge when we have other changes to make on this library.

Agree that for new installs this will normally be the practical upshot, but I think security tooling will continue to see potential risks since there will always be edge cases (depending on your setup) where this may not happen in practice.

That said, I personally can live with ignoring the security warnings for a while longer 👍

dchambers avatar Jan 21 '20 14:01 dchambers

Looks like the chain that was following linked to this package/pr: https://github.com/jonschlinkert/cache-base/pull/12

Thanks for getting back to me though! Finlay

finppp avatar Jan 21 '20 14:01 finppp