@nestjs/schedule2.1.0 depends on vulnerable versions of luxon

Question

@nestjs/schedule2.1.0 depends on vulnerable versions of luxon

PetrShchukin opened this issue 2 years ago · comments

The @nestjs/schedule package with version 2.1.0 depends on vulnerable versions of luxonluxon 1.0.0 - 1.28.1. Severity: high.

# npm audit report

luxon  1.0.0 - 1.28.1
Severity: high
Luxon Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-3xq5-wjfh-ppjc
fix available via `npm audit fix --force`
Will install cron@1.8.2, which is a breaking change
node_modules/luxon
  cron  >=1.8.3
  Depends on vulnerable versions of luxon
  node_modules/@nestjs/schedule/node_modules/cron
  node_modules/cron
    @nestjs/schedule  >=2.0.1
    Depends on vulnerable versions of cron
    node_modules/@nestjs/schedule

3 high severity vulnerabilities

Martin · Answer 1 · Wed Jan 11 2023 01:09:53 GMT+0800 (China Standard Time)

cron v2.2.0 uses the last version of luxon now: kelektiv/node-cron#646

Micael Levi L. Cavalcante · Answer 2 · Wed Jan 11 2023 01:25:31 GMT+0800 (China Standard Time)

so it's just a matter of merging #983

Kamil Mysliwiec · Answer 3 · Wed Jan 11 2023 15:45:06 GMT+0800 (China Standard Time)

let's track this here #983