path-loader icon indicating copy to clipboard operation
path-loader copied to clipboard

Published 20 hours ago verified publisher icon whitlockjc

Update dependencies // superagent

Open leeleahulkcs opened this issue 2 years ago • 4 comments

This package depends on superagent 7.1.6. This is giving a deprecation warning.

npm WARN deprecated [email protected]: Please downgrade to v7.1.5 if you need IE/ActiveXObject support OR upgrade to v8.0.0 as we no longer support IE and published an incorrect patch version (see https://github.com/visionmedia/superagent/issues/1731)

leeleahulkcs avatar Aug 20 '22 14:08 leeleahulkcs

Now even more relevant as [email protected] depends on [email protected] which is vulnerable to CVE-2022-24999, which has a CVSSv3 Base Score of HIGH (7.5)

AntonOellerer avatar Nov 29 '22 12:11 AntonOellerer

Moreover, [email protected] depends on [email protected] which is vulnerable to CVE-2022-25901.

balintfodor-seon avatar Jan 24 '23 14:01 balintfodor-seon

Please note that [email protected] depends on formidable@^2.0.1, which is vulnerable to CVE-2022-29622 - which has a CVSSv3 of 9.8 (CRITICAL).

@whitlockjc, if you are not going to maintain the library could you consider naming external maintainers?

Rhaal avatar Apr 23 '24 06:04 Rhaal

Hey everyone, this is not mine... But I just wanted to share a workaround some friends came up with while we're waiting for an official fix. I'm not aware of any potential side effects, but it might be worth giving it a try to see how it goes.

You can modify your own package.json to override the version of superagent:

"overrides": {
    "path-loader": {
       "superagent": "9.0.0"
    }
}

npm ls superagent
my-project
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected] overridden
      └── [email protected] overridden

thiagosanches avatar Apr 25 '24 11:04 thiagosanches