You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Init an npm repo using "npm init" and pressing "Enter" for all prompts
Run "npm i @mapbox/mapbox-gl-draw"
Run "npm audit"
Expected Behavior
0 vulnerabilities reported.
Actual Behavior
2 vulnerabilities reported:
Additional info
Both vulnerabilities are caused by the minimist package using 1.2.0 version in which there is a low vulnerability. It is fixed in the newest version of minimist.
To fix the "@mapbox/mapbox-gl-draw > @mapbox/geojson-extent > @mapbox/geojson-coords > geojson-flatten > minimist" all you need to do is to bump the @mapbox/geojson-extent version to 1.0.0 and every library down the path is already updated to version without the vulnerability.
For the "@mapbox/mapbox-gl-draw > @mapbox/geojsonhint > minimist" path, @mapbox/geojsonhint has already updated the minimist version to a non-vulnerable version, but the change isn't released yet. There is an issue about that, but there is no activity since May of this year.
I know that this vulnerability can't really be exploited from the mapbox-draw-gl package, but my company has a blanket "no vulnerabilities" policy, so if you can update those packages, it will be greatly appreciated.
The text was updated successfully, but these errors were encountered:
mapbox-gl-js version: 1.12.0 (but doesn't really matter)
mapbox-gl-draw version: 1.2.0
Steps to Trigger Behavior
Expected Behavior
0 vulnerabilities reported.
Actual Behavior
2 vulnerabilities reported:
Additional info
Both vulnerabilities are caused by the minimist package using 1.2.0 version in which there is a low vulnerability. It is fixed in the newest version of minimist.
To fix the "@mapbox/mapbox-gl-draw > @mapbox/geojson-extent > @mapbox/geojson-coords > geojson-flatten > minimist" all you need to do is to bump the @mapbox/geojson-extent version to 1.0.0 and every library down the path is already updated to version without the vulnerability.
For the "@mapbox/mapbox-gl-draw > @mapbox/geojsonhint > minimist" path, @mapbox/geojsonhint has already updated the minimist version to a non-vulnerable version, but the change isn't released yet. There is an issue about that, but there is no activity since May of this year.
I know that this vulnerability can't really be exploited from the mapbox-draw-gl package, but my company has a blanket "no vulnerabilities" policy, so if you can update those packages, it will be greatly appreciated.
The text was updated successfully, but these errors were encountered: