You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However these packages are now all pure esm.
To allow for these dependancies to be updated, and thus for the vulnerabilities to be fixed, yo, yoeman/doctor, and yeoman/insight should switch to esm as well.
This has additionally caused problems with insight as os-name >= v5.0.0 is also pure esm, which resulted in insight being removed.
This has been an ongoing issue for the project. Related issues I've found include (17 total):
Each of these require this being implemented to be properly fixed.
Other yeoman packages have already made the switch to esm, including update-notifier, stringily-object, and configstore, with environment and generator soon to follow.
Steps to reproduce the behavior
npm audit
Command line output
Output
# npm audit report
got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/got
node_modules/latest-version/node_modules/got
node_modules/npm-keyword/node_modules/got
node_modules/yeoman-doctor/node_modules/got
npm-keyword <=6.1.0
Depends on vulnerable versions of got
node_modules/npm-keyword
yo >=1.2.1
Depends on vulnerable versions of got
Depends on vulnerable versions of meow
Depends on vulnerable versions of npm-keyword
Depends on vulnerable versions of update-notifier
Depends on vulnerable versions of yeoman-doctor
node_modules/yo
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/latest-version/node_modules/package-json
node_modules/yeoman-doctor/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
node_modules/yeoman-doctor/node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
yeoman-doctor >=1.4.0
Depends on vulnerable versions of bin-version-check
Depends on vulnerable versions of latest-version
node_modules/yeoman-doctor
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/cacheable-request/node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/cacheable-request
semver-regex <=3.1.3
Severity: high
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/semver-regex
find-versions <=3.2.0
Depends on vulnerable versions of semver-regex
node_modules/find-versions
bin-version <=4.0.0
Depends on vulnerable versions of find-versions
node_modules/bin-version
bin-version-check <=4.0.0
Depends on vulnerable versions of bin-version
node_modules/bin-version-check
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
Depends on vulnerable versions of yargs-parser
node_modules/meow
yargs-parser 6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/yargs-parser
16 vulnerabilities (5 moderate, 11 high)
The text was updated successfully, but these errors were encountered:
Is there any progress towards fixinv the vulnerable dependencies? Trying to install yo at the moment fires a ton of vulnerability warnings. In this state yo is unusable for our purposes.
Type of issue
Bug Report
My environment
macOS Monterey 12.6.7
v20.2.0
(runnode --version
in your terminal)9.6.6
(runnpm --version
in your terminal)4.3.1
(runyo --version
in your terminal)Expected behavior
yo has no vulnerable dependancies.
Current behavior
The following are vulnerable package versions from yo and its dependancies, yeoman/doctor and yeoman/insight:
However these packages are now all pure esm.
To allow for these dependancies to be updated, and thus for the vulnerabilities to be fixed, yo, yoeman/doctor, and yeoman/insight should switch to esm as well.
This has additionally caused problems with insight as
os-name >= v5.0.0
is also pure esm, which resulted in insight being removed.This has been an ongoing issue for the project. Related issues I've found include (17 total):
yo
depends on deprecatedmodule.parent
, should updatemeow
#786got
overrequest
. insight#52Each of these require this being implemented to be properly fixed.
Other yeoman packages have already made the switch to esm, including update-notifier, stringily-object, and configstore, with environment and generator soon to follow.
Steps to reproduce the behavior
Command line output
Output
The text was updated successfully, but these errors were encountered: