Upgrade update-notifier version for fixing CVE-2022-33987
holblin opened this issue · comments
Hi,
I have multiple packages that use gts. Due to a CVE, gts is impacted in his last version:
Updating update-notifier to the latest version and releasing a new version of gts, will solve the issue.
Indeed, currently, this is the chain of versions from gts:
update-notifier (^5.0.0) > latest-version (^5.1.0) > package-json (^6.3.0) > got (^9.6.0)
And this will be the new chain of versions after the change:
update-notifier (6.0.2) > latest-version (^7.0.0) > package-json (^8.1.0) > got (^12.1.0)
I love how this upgrade to update-notifier requires node 14 and a transition to ESM. Awesome.
Hi @bcoe , I disagree with the completion of this issue.
There was no new release of GTS following the fix, which keep all the consumers impacted.
Could we re-open the issue until we got a new version published in NPM?
@holblin 4.0.0 is released to the dist-tag next:
npm i gts@next
However it seems to have some issues:
Error: Cannot read config file: /Users/bencoe/google/nodejs-vision/samples/.eslintrc.yml
Error: Function yaml.safeLoad is removed in js-yaml 4. Use yaml.load instead, which is now safe by default.
at Object.safeLoad (/Users/bencoe/google/nodejs-vision/node_modules/@eslint/eslintrc/node_modules/js-yaml/index.js:10:11)
at loadYAMLConfigFile (/Users/bencoe/google/nodejs-vision/node_modules/@eslint/eslintrc/lib/config-array-factory.js:161:21)
at loadConfigFile (/Users/bencoe/google/nodejs-vision/node_modules/@eslint/eslintrc/lib/config-array-factory.js:319:20)
@holblin I believe the issue I was running into was a stale package-lock.json issue, could you try 4.0.0 and let me know if it works for you?
It works 👍
Thanks a lot :-)