liamcain
Security vulnerability due to svelte< 3.49.0
NPM complains when trying to install any package that depends on obsidian-calendar-ui due to a dependency on svelte < 4.59.0.
For example, when installing any package or plugin that depends on the latest versions of dataview, which in turn depend on obsidian-calendar-ui:
$ npm i
added 261 packages, and audited 262 packages in 22s
96 packages are looking for funding
run `npm fund` for details
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
$ npm audit
# npm audit report
svelte <3.49.0
Severity: moderate
Svelte vulnerable to XSS when using objects during server-side rendering - https://github.com/advisories/GHSA-wv8q-r932-8hc7
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svelte
obsidian-calendar-ui *
Depends on vulnerable versions of svelte
node_modules/obsidian-calendar-ui
obsidian-dataview >=0.4.22
Depends on vulnerable versions of obsidian-calendar-ui
node_modules/obsidian-dataview
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
The issue is flagged on dataview's site: https://github.com/blacksmithgu/obsidian-dataview/issues/2288, and presumably others.
Not sure if the issue should be addressed here or downstream. I would imagine that even after obsidian-calendar-ui updates (and maybe you already have! :) ), all the downstream dependents need to update as well.
Either way, I thought I might bring this to your attention here, and perhaps you might have suggestions as to approaches for down-down-downstream package developers such as myself ?
Please feel free to close if this is not really anything that should be discussed here (e.g., it's all really the downstream users responsibilities ...)
