-
Notifications
You must be signed in to change notification settings - Fork 518
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update version of moment to fix GHSA-wc69-rhjr-hc9g (CVE-2022-31129) #692
Comments
Ug, sorry^10 all. Looking now. |
package-lock.json is not published to npm, so any So, I'll merge the PR to update the package-lock.json file. However, is there a need for a new release tag or published version to npm for anyone? Please let me know if so. My next inclination is to remove the package-lock.json file from the repo. My tendency more recently is to not have a package-lock.json file for library repos. Opinions vary. Anyway, I'll open a separate PR for that on which there can be discussion. We could always re-add the package-lock if there are strong enough uses for it. |
I would appreciate a bumped version published to npm. As long as we're talking about it, I'd like to throw this idea out there: substituting dayjs for momentjs would be super awesome. |
Why? It would be identical to the previous release (package-lock.json is not included in an npm published package).
Noted. I think there are issue(s) for that. #630 for one. |
I'd appreciate it too. It would automatically be fixed for most people, now I had to manually look at what's exactly wrong and do |
Updating the optional dependency and releasing a new version will propagate updates to dependents and transitive dependents. I made a PR 🤠 #701 |
Please update the version of moment to 2.29.4 to fix security vulnerability and release a new tag.
https://nvd.nist.gov/vuln/detail/CVE-2022-31129
GHSA-wc69-rhjr-hc9g
The text was updated successfully, but these errors were encountered: