-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update vulnerable packages #763
Comments
decode-uri-component: This library is only used by devDependencies, so hopefully a safe change to make . The version to be upgraded is |
braces: "if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop" - per GHSA-grv7-fg5c-xmjg.
Unfortunately, |
@rorymckinley live-server is only used by an out of date ad unused dev server. We can just remove it and maybe fix the server later (i don't think the demo even needs it). I'll raise an issue to fix / update the dev demo. You can just remove the |
Note to self: When submitting the PR, add 'alarming comments' re: the |
Updated typesync - bumped up two minor versions as it was depending on ip which does not have a patch for the latest version and no patch on the horizon. |
postcss: Vulnerability relates to parsing of untrusted CSS - also only a devDependency. |
micromatch - vulnerable to regex DOS - used in a number of prod dependencies, but only 3 patch version bump needed to get a non-vulnerable version. |
word-wrap: devDependency vulnerable to a regex DOS. |
This is a bundle issue to cover upgrading issues picked up as a combination
pnpm audit
and dependabot. Each upgrade will be covered by a comment on the issue, covering the reasoning for the upgrade.The text was updated successfully, but these errors were encountered: