-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
minimist used with security vulnerability #9431
Comments
This was fixed in #9425. |
That's not currently available in a stable version |
v1.9.0 will be released tomorrow; meanwhile, you can use the beta version if that security warning concerns you. It doesn't actually affect GL JS in any way since it's not used by it directly, only for some minor tools for the style specification. |
When will |
@FabianKoestring there was a minor delay after discovering a regression, but it should be up today hopefully. |
Just a heads up that this is not resolved in the new v1.9.0 release (since it sounds like that was maybe expected). Version 1.9.0 still has the minimist version pinned to 0.0.8: https://github.com/mapbox/mapbox-gl-js/blob/v1.9.0/package.json#L30 As an additional note, once v1.9.1 ships (or which ever version includes the update), currently mapbox-gl would still introduce a nested dependency on a vulnerable minimist version due to the I understand this security issue may not really affect mapbox-gl's browser usage, but it might still be nice if this were addressed to cut down on automated security alerts generated by various tools. Here's the current results of
|
Sorry, there was a miscommunication earlier. This fix was merged after we'd cut the beta branch for 1.9.0 so it did not make it into the release. This doesn't seem urgent enough to necessitate a patch release, especially if the offending version of As for the dependency using |
@ryanhamley let me deal with |
I faced similar audit warnings as mentioned earlier by @GUI . So, this issue is expected to be fixed in 1.10.0 release in April month? Pls, confirm some tentative date. Mapbox-gl is the only package whose audit failures need to be fixed in my project. So, I am waiting for it to fix its vulnerabilities to have a clean npm audit report. Thanks Team. |
@GagandeepKaur 1.10 is planned to be a significant release so our timeline with it is more tentative than usual. that said, we expect to cut a beta release next week with an eye towards a full release two weeks later. we've built in an extra week of testing for some larger improvements so if we find bugs, it's always possible the release could be pushed slightly, but we expect to have 1.10 out this month |
|
Sorry for reopening, we thought this was not addressed for production dependencies, |
Available as of yesterday in our beta release: https://www.npmjs.com/package/mapbox-gl/v/1.10.0-beta.1. |
Currently used versions of
minimist
in stable versions has a security vulnerability:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598
The text was updated successfully, but these errors were encountered: