Requesting to upgrade few internal dependent packages which seems to have potential fixes reported in OSS CVE
mannerni opened this issue · comments
mannerni commented
Request to upgrade & known timeline for the same would help.
- cookie: upgrade to 0.4.1 (Has Fix maxAge option to reject invalid values. Link: https://github.com/jshttp/cookie/releases/tag/v0.4.1.)
- util: upgrade to 0.12.4.
- string_decoder: upgrade to 1.3.0
- readable-stream: upgrade to 3.6.0
Also would like to understand the impact when users do not use such code (above ones) directly, is it safe to say that internally also these package code is not used untill then?