This repository has been archived by the owner on Apr 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 102
Medium security vulnerability with gatsby-plugin-printer dependencies #127
Comments
Npm audit output
Dependency trail issue tracker: |
To be honest, browserify-as' owner doesn't appear to be available to merge. Update the dependency to my version (in the PR) for an updated version. |
@srepollock did you release your own version of |
@trevorblades I've updated that thread with an explanation and temporary solution if you want to go ahead and give that a try, let me know what you find too |
Following up on this as I'm not sure if there's anything I can do as a Apollo-docs theme to address this |
6 tasks
Switched to Yarn now and am forcing certain versions in downstream dependencies, as they cropped up to 5 vulnerabilities since this report. ...
"dependencies": {
"@aws-amplify/analytics": "^3.3.6",
"antd": "^4.7.0",
"aws-amplify": "^3.3.3",
"gatsby": "^2.24.77",
"gatsby-plugin-antd": "^2.2.0",
"gatsby-plugin-catch-links": "^2.3.15",
"gatsby-plugin-sitemap": "^2.4.16",
"gatsby-remark-autolink-headers": "^2.3.15",
"gatsby-theme-apollo-docs": "^4.5.3",
"react": "^16.13.1",
"react-dom": "^16.13.1"
},
"resolutions": {
"graphql": "^14.7.0", <-- latest gatsby and amplify conflict
"bl": "^4.0.3", <-- apollo theme docs downstream high vuln.
"semver": "^7.3.2", <-- same as above
"node-fetch": "^2.6.1" <-- same as above but medium vuln.
},
... |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hey team,
I'm getting CVE alerts about semver and bl dependencies that are used by
gatsby-plugin-printer
all the way down to LevelUp who removed that as a dependency.Is there anything I can help to get this sorted?
Update: I'm using the latest version
"gatsby-theme-apollo-docs": "^4.2.11"
Thanks a lot!
The text was updated successfully, but these errors were encountered: