cpx
cpx copied to clipboard
mysticatea
Several security vulnerabilities in dependency list
cpx defines a lot of vulnerabile dependencies, such as:
- braces@^1.8.2
- semver-regex@^2.0.0
- glob-parent@^2.0.0
Can you please update these deps? @mysticatea
It also uses shell-quote, could you please update it to the latest as soon as possible?
can anyone please look into this? @mysticatea @k88hudson @igor-toporet @forivall @pdehaan @quilicicf @yassh
I wish I could do something but I have no rights on that repository and my one and only PR never got merged :shrug: This repository hasn't seen a change since 2018 anyway, the maintainer probably doesn't receive the notifications anymore... So either we somehow manage to get @mysticatea to have a look (they seem to still be active on GitHub) or we might have to fork...
Hi @quilicicf, thanks for the quick reply. Is there any way to inform the owner other than GitHub?
FYI: For time being we switched to https://www.npmjs.com/package/cpx-fixed mentioned in https://stackoverflow.com/questions/54996035/npm-copy-files-with-cpx-in-postinstall-script/59845967#59845967 - but of course it would be better when the "root" issue is addressed in this repository.
I do not know the author unfortunately, so I have no clue what the best channel is to reach them :-( They didn't share their email on GitHub but it looks like they have a Twitter account with the same handle as on GitHub. Might be worth it to try I guess.