-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Latest version of cli is pulling in insecure packages that have available patches #6508
Comments
Now there's a vulnerability in |
@sarahetter thanks for the quick turnaround on getting |
@sarahetter thanks for such a fast turn around - I've confirmed that the latest version of
I assume you're happy for me to open a new issue with a similar format in future if new vulnerabilities come up, but let me know if there's another format you'd prefer 🙂 |
@G-Rath we've set up better tooling for us to notice these as they come up, thank you! |
@sarahetter that new tooling doesn't seem to be working, since #6739 / #6704 has been open for a month now without any signs of attention from Netlify |
Describe the bug
npm/cli#7356 - the use of a shrinkwrap means that even though there are available patches for these vulnerabilities, we're not able to install them.
Current vulnerabilities:
follow-redirects
v1.15.1 (chore(deps): bump follow-redirects from 1.15.1 to 1.15.6 #6446)tar
v6.1.15 (chore(deps): bump tar from 6.1.15 to 6.2.1 #6504)word-wrap
v1.2.3 (chore(deps): bump word-wrap from 1.2.3 to 1.2.5 #5895)`npm audit` output as of 2024-04-23
Steps to reproduce
npm install netlify-cli
)npm audit
Configuration
No response
Environment
Does not matter
The text was updated successfully, but these errors were encountered: