yo
yo copied to clipboard
normalize-url security vuln - update package-json to v6
┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ normalize-url │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ yo │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ yo > package-json > got > cacheable-request > │ │ │ normalize-url │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1755 │ └───────────────┴──────────────────────────────────────────────────────────────┘
https://github.com/sindresorhus/package-json/releases/tag/v6.0.0 - should be pretty easy given the only breaking change is node 8 req which is already true for yo
~Currently waiting on a new release of got
. See sindresorhus/got#1466~
Just noticed [email protected]
uses the patched version of normalize-url
. I'll open a pr.
I think it's been fixed upstream