Please update dependency of url-loader due to transitive dependency vulnerability #2842
Comments
|
Thanks @Stephanemw, will upgrade that. @davegaeddert any idea why dependencies.io doesn't offer this upgrade? |
|
@Hypnosphi I will have to do some digging. Looks like it was the only instance of url-loader that was missed though? Is there any chance it was updated in one of the PRs but didn't get merged? |
|
I think it was updated in other packages (react, vue) even before angular PR was merged. Is there a chance that dependencies.io keeps track of "already upgraded" deps not taking into account the particular subpackages where upgrade took place? |
|
Yeah I'm thinking it's something along those lines. The lerna components are a little non-typical in that way, and I do see a specific place where it could throw a wrench into things. Fortunately, I do think that the revised "v2" stuff we're in the middle of has this solved -- now we just need to get it released! |
|
Released as |
Issue details
Storybook/angular 3.3.10 and 3.4.0-alpha.5 both pull in "url-loader": "^0.5.8" (0.5.9) and this brings along mime@1.3.x which has a high vulnerability risk report.
mime: https://nodesecurity.io/advisories/535
url-loader@0.6.2 (current latest) brings in mime@1.4.1 and would resolve this issue
Steps to reproduce
npm install of current storybook@angular versions
Please specify which version of Storybook and optionally any affected addons that you're running
Affected platforms
See advisory above
The text was updated successfully, but these errors were encountered: