Skip to content
This repository has been archived by the owner on Oct 4, 2020. It is now read-only.

latest eclint depends on vulnerable axios package #161

Open
dlouzan opened this issue May 30, 2019 · 2 comments
Open

latest eclint depends on vulnerable axios package #161

dlouzan opened this issue May 30, 2019 · 2 comments

Comments

@dlouzan
Copy link

dlouzan commented May 30, 2019

See https://nvd.nist.gov/vuln/detail/CVE-2019-10742

(fix/security-vulnerabilities= d4c870e)$ yarn why axios
yarn why v1.16.0
[1/4] 🤔  Why do we have the module "axios"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "eclint#gulp-reporter" depends on it
   - Hoisted from "eclint#gulp-reporter#axios"
info Disk size without dependencies: "432KB"
info Disk size with unique dependencies: "496KB"
info Disk size with transitive dependencies: "628KB"
info Number of shared dependencies: 4
✨  Done in 0.69s.

(fix/security-vulnerabilities= d4c870e)$ yarn list eclint
yarn list v1.16.0
warning Filtering by arguments is deprecated. Please use the pattern option instead.
└─ [email protected]
✨  Done in 0.64s.
@zbeekman
Copy link

zbeekman commented Jul 1, 2019

It would be nice to see dependabot setup for eclint

@zbeekman
Copy link

zbeekman commented Jul 8, 2019

PR #163 adds a dependabot config.yml but project authors/maintainers still need to enable it for the project & create dependabot account.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dlouzan @zbeekman