Vulnerable is-email dependency in 4.1.11
vinczemarton opened this issue · comments
I have "@segment/analytics.js-core": "4.1.11",
installed.
When running npm audit
I get the following error:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Improper Input Validation in is-email │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ is-email │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @segment/analytics.js-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @segment/analytics.js-core > segmentio-facade > is-email │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-j377-2x76-558h │
└───────────────┴──────────────────────────────────────────────────────────────┘
I understand that there is a fix for is-email, but since segmentio-facade
depends on the exact version 0.1.0 I'm not sure if it is compatible.
Can you update the dependencies for segmentio-facade and @segment/analytics.js-core that they don't use is-email 0.1.0?
I've run into the same issue. It seems that segmentio-facade
has been renamed to @segment/facade
. The newest release of that new name has removed the dependency on is-email
.
This diff should fix the security vulnerability
diff --git a/package.json b/package.json
index f72842c..9068476 100644
--- a/package.json
+++ b/package.json
@@ -37,6 +37,7 @@
"@ndhoule/pick": "^2.0.0",
"@segment/canonical": "^1.0.0",
"@segment/cookie": "^1.1.5",
+ "@segment/facade": "^3.4.0",
"@segment/is-meta": "^1.0.0",
"@segment/isodate": "^1.0.2",
"@segment/isodate-traverse": "^1.0.1",
@@ -57,7 +58,6 @@
"new-date": "^1.0.0",
"next-tick": "^0.2.2",
"package-json-versionify": "^1.0.4",
- "segmentio-facade": "^3.2.7",
"spark-md5": "^2.0.2",
"uuid": "^3.4.0"
},
but some changes to the actual codebase will be required.
^^^ PR opened with those changes.
Hi all, any updates on this?