yarn audit
AndersDJohnson opened this issue · comments
Running yarn audit
reveals this issue. Can you update the version of unified
to the latest compatible version 6.2.0
, hoping it has a patch?
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.0.2 <3.0.0 || >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-plugin-markdown │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ eslint-plugin-markdown > unified > extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/996 │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 877568
This package depends on unified@^6.1.2
, and unified@6.1.2
and unified@6.2.0
both depend on extend^3.0.0
. So I think you should be able to upgrade to extend@^3.0.2
(adjusting your lockfile as necessary) while remaining compatible up the dependency chain? For example, I just ran npm install eslint-plugin-markdown
in an empty directory, and npm ls extend
now shows v3.0.2:
$ npm install eslint-plugin-markdown
npm WARN saveError ENOENT: no such file or directory, open '/private/tmp/test/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/private/tmp/test/package.json'
npm WARN test No description
npm WARN test No repository field.
npm WARN test No README data
npm WARN test No license field.
+ eslint-plugin-markdown@1.0.2
added 38 packages from 28 contributors and audited 43 packages in 1.614s
18 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
$ npm ls extend
/private/tmp/test
└─┬ eslint-plugin-markdown@1.0.2
└─┬ unified@6.2.0
└── extend@3.0.2
I'll close this for now as it doesn't look like I'll need to do a version bump since everything in the dependency chain is still in a semver-compatible range, but please let me know if I've missed something!