Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

chore: mitigate security advisory 886 #198

Closed
wants to merge 2 commits into from
Closed

chore: mitigate security advisory 886 #198

wants to merge 2 commits into from

Conversation

hughrawlinson
Copy link

@hughrawlinson hughrawlinson commented May 22, 2019

node-gyp@3.8.0 uses fstream@1.0.11, which has this advisory: https://www.npmjs.com/advisories/886

node-gyp@4.0.0 resolved that vulnerability by removing dependencies on fstream.

I also bumped npm-lifecycle@2.1.0 to 2.1.1, which does the same as above.

The tests don't pass locally, but I'm hoping the reasons why become more clear by running on CI, so that I can resolve them.

Please feel free to close this if it doesn't make sense for some reason I haven't thought of (or of course for any other reason). Thank you all for all you do! 😄

node-gyp@3.8.0 uses fstream@1.0.11, which has this advisory: https://www.npmjs.com/advisories/886

node-gyp@4.0.0 uses fstream@1.0.12, which has resolved the issue
@hughrawlinson hughrawlinson requested a review from a team as a code owner May 22, 2019 13:05
npm-lifecycle@2.1.0 also depends on node-gyp@3.8.0.

Bumping to npm-lifecycle@2.1.1 addresses the issue
@brettz9
Copy link
Contributor

brettz9 commented Jun 10, 2019

Would be great to get this looked at, as npm audit is listing 12 high risk advisories resulting from these two packages (none of which is npm audit fix working to fix)...

@isaacs
Copy link
Contributor

isaacs commented Jun 26, 2019

Bumping to node-gyp v4 will take some more refactoring, but the fstream vuln will be fixed in the next release. Thanks!

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants