Vulnerability with acorn #17899
Comments
|
Hi @vishnutsivan, can you please share the vulnerability report? less 3.11.1 doesn't depend on acorn. |
|
@alan-agius4 in package.json of less 3.11.1 there is no dependency on acorn. But if we browse node_modules then we can find it's reference |
|
@vishnutsivan I see, the used to ship a node_modules directory as part of the package. |
|
@alan-agius4 yes, and in the latest version of less ie 3.11.3 there are no such shipping of node_modules |
|
Note: this security notuice doesn't effect package manager audit tools such as NPM and Yarn. @vishnutsivan, left you a couple of comments on the PR, thanks. |
alan-agius4
added
area: @angular-devkit/build-angular
freq1: low
alan-agius4
removed
needs: more info
|
Closing via #17898 |
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
🐞 Bug report
Our security check tool is throwing a vulnerability issue with acorn 6.3.0
Description
@angular-devkit/build-angular@0.901.7 is dependent on less version 3.11.1 which has dependency with acorn@6.3.0.
Possible Fix
We think we can solve this issue by updating less to version 3.11.3
Please have a look on pull request #17898
The text was updated successfully, but these errors were encountered: