np icon indicating copy to clipboard operation
np copied to clipboard

Published 20 hours ago verified publisher icon sindresorhus

Question: drop Node v10? v12? (CVE-2022-33987)

Open sgb-io opened this issue 2 years ago • 1 comments

I believe that for np to resolve https://github.com/advisories/GHSA-pfrx-2q88-qq97, one dependency that needs to be upgraded is npm-name, in order to get the fixed version of got.

I see 2 reasonable options:

  1. A new patch version of v6 of npm-name is needed (which I think implies Node v10 support, since that was dropped in v7)
  2. This project needs to drop Node v10 in a major new version and upgrade to npm-name at v7 (breaking change).

I haven't yet looked at the other path which is update-notifier, but at a glance I think there is a similar problem happening with major new versions needed that drop support for older Node. I think Node v14 might be the minimum in that case.

Do you have a plan for this @sindresorhus? Thanks & shout out for all the hard work you do on these valuable libraries.

sgb-io avatar Jun 29 '22 22:06 sgb-io

I just saw your comment here https://github.com/sindresorhus/np/issues/636. I am guessing it is the same answer for this vuln, so feel free to close this if that is correct.

TBH I am unsure if there is a realistic way of triggering this vuln via np, but I guess this library is likely to be used in CI servers, so I'm curious.

sgb-io avatar Jun 29 '22 22:06 sgb-io

Duplicate of https://github.com/sindresorhus/np/issues/636 The update of dependencies and minimum Node version is tracked in https://github.com/sindresorhus/np/issues/601

fregante avatar Feb 03 '23 11:02 fregante