Using vulnerable `js-yaml` version

Question

arturopie opened this issue 5 years ago · comments

bootstrap-loader is using a vulnerable dependency. See:

Released!

Justin Gordon · Answer 1 · Wed Mar 27 2019 14:27:17 GMT+0800 (China Standard Time)

@arturopie Any chance that you can throw in a PR?

Alec Flett · Answer 2 · Thu Mar 28 2019 01:32:35 GMT+0800 (China Standard Time)

@arturopie I just pushed one up!

Arturo Pie · Answer 3 · Thu Mar 28 2019 10:28:29 GMT+0800 (China Standard Time)

Thanks for the PR @alecf.
I'm sorry I didn't reply earlier @justin808, I have been very busy recently.

Justin Gordon · Answer 4 · Thu Mar 28 2019 12:02:50 GMT+0800 (China Standard Time)

@alecf @arturopie I just pushed 3.0.3 without local testing. Please confirm that you don't have any issues.

Arturo Pie · Answer 5 · Tue Apr 02 2019 11:14:03 GMT+0800 (China Standard Time)

@justin808 no issues so far. Thanks!

amenawat · Answer 6 · Sat Apr 27 2019 08:03:53 GMT+0800 (China Standard Time)

v3.0.3 uses js-yaml@3.13.0, but according to https://npmjs.com/advisories/813, it is patched in >=3.13.1. Can you please update this? Thank you.