[security] upgrade lerna from 4.x to 5.x #11737
Labels
dependencies
pull requests that update a dependency file
enhancement
issues that are enhancements to current functionality - nice to haves
Comments
marcdumais-work
added
enhancement
marcdumais-work
added a commit
that referenced
this issue
Oct 5, 2022
Fixes #11737 before update: 7 vulnerabilities found - Packages audited: 1946 Severity: 3 Moderate | 2 High | 2 Critical after update: 2 vulnerabilities found - Packages audited: 2036 Severity: 1 Moderate | 1 High Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
marcdumais-work
added a commit
that referenced
this issue
Oct 11, 2022
Fixes #11737 before update: 7 vulnerabilities found - Packages audited: 1946 Severity: 3 Moderate | 2 High | 2 Critical after update: 2 vulnerabilities found - Packages audited: 2036 Severity: 1 Moderate | 1 High Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
marcdumais-work
added a commit
that referenced
this issue
Oct 11, 2022
Fixes #11737 before update: 7 vulnerabilities found - Packages audited: 1946 Severity: 3 Moderate | 2 High | 2 Critical after update: 2 vulnerabilities found - Packages audited: 2036 Severity: 1 Moderate | 1 High Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
marcdumais-work
added a commit
that referenced
this issue
Oct 11, 2022
Fixes #11737 before update: 7 vulnerabilities found - Packages audited: 1946 Severity: 3 Moderate | 2 High | 2 Critical after update: 2 vulnerabilities found - Packages audited: 2036 Severity: 1 Moderate | 1 High Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
marcdumais-work
added a commit
that referenced
this issue
Oct 11, 2022
Fixes #11737 before update: 7 vulnerabilities found - Packages audited: 1946 Severity: 3 Moderate | 2 High | 2 Critical after update: 2 vulnerabilities found - Packages audited: 2036 Severity: 1 Moderate | 1 High Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
marcdumais-work
added a commit
that referenced
this issue
Oct 11, 2022
Fixes #11737 before update: 7 vulnerabilities found - Packages audited: 1946 Severity: 3 Moderate | 2 High | 2 Critical after update: 2 vulnerabilities found - Packages audited: 2036 Severity: 1 Moderate | 1 High Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Bug Description:
ATM we use an older version of lerna (4.x) as a dev-dependency in Theia. This dependency is propagated to all Theia-based products, for development (not runtime - end-users of Theia-based IDEs are not affected).
According to "yarn audit", all our high and critical vulnerabilities (2 of each) are recursive dependencies of lerna. Upgrading to lerna v5.x would probably clear those vulnerabilities.
Steps to Reproduce:
>$ yarn audit --level highlernadependencies are the cause of the high and critical (dev-)dependency vulnerabilities.Additional Information
Here is a screenshot of the full
yarn auditoutput (the ASCII copy&paste does not render well here):The text was updated successfully, but these errors were encountered: