yo icon indicating copy to clipboard operation
yo copied to clipboard

Published 20 hours ago verified publisher icon yeoman

normalize-url security vuln - update package-json to v6

Open ntucker opened this issue 3 years ago • 2 comments

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ normalize-url │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ yo │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ yo > package-json > got > cacheable-request > │ │ │ normalize-url │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1755 │ └───────────────┴──────────────────────────────────────────────────────────────┘

https://github.com/sindresorhus/package-json/releases/tag/v6.0.0 - should be pretty easy given the only breaking change is node 8 req which is already true for yo

ntucker avatar Jun 09 '21 06:06 ntucker

~Currently waiting on a new release of got. See sindresorhus/got#1466~

Just noticed [email protected] uses the patched version of normalize-url. I'll open a pr.

Logicer16 avatar Jun 09 '21 10:06 Logicer16

I think it's been fixed upstream

Logicer16 avatar Jun 29 '21 07:06 Logicer16