This repository has been archived by the owner on Jan 9, 2023. It is now read-only.
Fix dependency on vulnerable winston package #118
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We have been seeing this error message due to the latest version Smartsheet SDK depending on Winston@2.4.5 which depends on the library async@1.0.0 which has a security vulnerability.
async <2.6.4
Severity: high
Prototype Pollution in async - GHSA-fwr7-v2mv-hh25
fix available via
npm audit fix --forceWill install smartsheet@0.2.0, which is a breaking change
node_modules/async
winston 0.4.0 - 3.0.0-rc6
Depends on vulnerable versions of async
node_modules/winston
smartsheet >=1.0.0-beta.0
Depends on vulnerable versions of winston
node_modules/smartsheet
Please update the SDK to use the latest version of winston.
The text was updated successfully, but these errors were encountered: