Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM package specifies serialize-javascript@3.0.0, but same version in repo specifies 3.1.0 #4375

Closed
jrrbru opened this issue Jul 14, 2020 · 2 comments · Fixed by #4378
Closed

NPM package specifies serialize-javascript@3.0.0, but same version in repo specifies 3.1.0 #4375

jrrbru opened this issue Jul 14, 2020 · 2 comments · Fixed by #4378
Labels
type: question support question

Comments

@jrrbru
Copy link

jrrbru commented Jul 14, 2020

https://nvd.nist.gov/vuln/detail/CVE-2020-7660 outlines a vulnerability with serialize-javascript prior to 3.1.0. Thankfully, mocha 8.0.1 specifies version 3.1.0. Unfortunately, the package published on NPM still says 3.0.0. Can this be fixed?
@jrrbru jrrbru added the type: question support question label Jul 14, 2020
@wnghdcjfe
Copy link
Contributor 


    "serialize-javascript": "3.1.0",

package.json said 3.1.0 /
What do you think you see?

@wnghdcjfe wnghdcjfe mentioned this issue Jul 20, 2020
Merged
@beeryt
Copy link

beeryt commented Jul 23, 2020
edited
Loading

Release 8.0.1 package.json in 9b203fa uses serialize-javascript@3.0.0
Use of serialize-javascript@3.1.0 was introduced to master in f073689.

@boneskull boneskull linked a pull request Jul 29, 2020 that will close this issue
Update javascript-serialize 3.1.0 to 4.0.0 #4378
Merged
boneskull pushed a commit that referenced this issue Jul 29, 2020
@wnghdcjfe
Update javascript-serialize 3.1.0 to 4.0.0; closes #4375 (#4378)
29012aa 
* Update javascript-serialize 3.1.0 to 4.0.0

* Change package-lock.json

* Change package-lock.json
@captain-kark captain-kark mentioned this issue Sep 3, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: question support question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update javascript-serialize 3.1.0 to 4.0.0
3 participants
@jrrbru @wnghdcjfe @beeryt