generator-teams
generator-teams copied to clipboard
pnp
Bug report: yoteams-build-core dependency upon set-value 3.0.3 with CVE
Description
Hi Team. I'm new to this, so please let me know if I'm doing something wrong here.
yoteams-build-core has a dependency upon gulp-inject ^5.0.5 which requires group-array ^1.0.1, which requires union-value ^2.0.1 which in turn requires set-value ^3.0.0, of which the latest version is 3.0.3.
set-value 3.0.3 is quarantined within my company due to CVE-2021-23440.
How does one go about the yoteams project so we can use a newer version?
Steps to reproduce
Within my environment, when I perform a yo teams and create a new tab project, it pulls dependencies and then fails due to the quarantine of set-value 3.0.3. I cannot side load this library as my organization prevents this.
Expected results
Update yo teams to use a newer version or provide a way to use a newer version.
Actual results
Within my environment, when I perform a yo teams and create a new tab project, it pulls dependencies and then fails due to the quarantine of set-value 3.0.3. I cannot side load this library as my organization prevents this.
Project you experience issues with
yoteams-build-core
generator version
4.1.0
build tools version
1.8.0
nodejs version
18.12.0
npm version
8.19.2
Operating system (environment)
Windows
Additional Info
Nothing else
@rich2099 we need to look into it to see if a newer version of set-value and we'll come back to you with instructions.
@rich2099 we need to look into it to see if a newer version of set-value and we'll come back to you with instructions.
@stephanbisser thank you!