This repository has been archived by the owner on Jan 3, 2023. It is now read-only.
Security update: ensure nodemon^1.18.7 #395
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I've been thinking about doing that, thank you. Too bad that npm seems to be so flaky when it comes to actually pulling in the latest version. |
devaips
pushed a commit
to kubernetes-sigs/apisnoop
that referenced
this pull request
Feb 3, 2019
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A critical security issue with
flatmap-streamwas traced to a sub-debpendency ofnodemon. This is fixed innodemon@1.18.7. I realize thatnodemonis only adevDependencythat is installed when youfeathers generate appso it shouldn't affect production apps, and that since no version is currently specified it should get the latest version (which is fixed). However, I just updated my global@feathersjs/cliand ranfeathers generate appand it installednodemon@1.18.6which still contained the vulnerability.For the time being, it seems wise to specify
nodemon@^1.18.7in the app generator just to make sure people don't inadvertently get the malicious code on their systems. This can probably be removed in the near future, but I don't think it could hurt to make this the minimum version, for now.