Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation Bypass of kind-of (transitive dependency) #1023

Closed
Ryuno-Ki opened this issue Mar 18, 2020 · 1 comment
Closed

Validation Bypass of kind-of (transitive dependency) #1023

Ryuno-Ki opened this issue Mar 18, 2020 · 1 comment
Labels
bug: dependency A problem in one of Eleventy’s dependencies npm-audit Security audits from npm
Milestone
Eleventy v0.11.0

Comments

@Ryuno-Ki
Copy link
Contributor

Describe the bug
Running npm audit yields several security warnings.
This issue is meant as a head's up! (Hopefully preventing other issues from popping up).

To Reproduce
Steps to reproduce the behavior:

  1. Install @11ty/eleventy (tested with 0.11.0-beta.1)
  2. Run npm audit.
┌───────────────┬──────────────────────────────────────────────────────────────┐    
│ Low           │ Validation Bypass                                            │    
├───────────────┼──────────────────────────────────────────────────────────────┤    
│ Package       │ kind-of                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤    
│ Dependency of │ @11ty/eleventy                                               │    
├───────────────┼──────────────────────────────────────────────────────────────┤    
│ Path          │ @11ty/eleventy > nunjucks > chokidar > readdirp > micromatch │    
│               │ > kind-of                                                    │    
├───────────────┼──────────────────────────────────────────────────────────────┤    
│ More info     │ https://npmjs.com/advisories/1490                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Among other paths.

Expected behavior
Eleventy should strive to keep its dependencies up-to-date.

Environment:

  • OS and Version: Sabayon Linux
  • Eleventy Version 0.11.0-beta.1

Additional context
There's an advisory at https://npmjs.com/advisories/1490
@Ryuno-Ki Ryuno-Ki mentioned this issue Mar 20, 2020
Closed
@zachleat
Copy link
Member

Note we still currently have one unsolvable npm audit filed at #1026.

@zachleat zachleat added bug: dependency A problem in one of Eleventy’s dependencies and removed needs-triage labels Mar 20, 2020
@zachleat zachleat added this to the Eleventy v0.11.0 milestone Mar 20, 2020
@zachleat zachleat added the npm-audit Security audits from npm label May 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug: dependency A problem in one of Eleventy’s dependencies npm-audit Security audits from npm
Projects
None yet
Milestone
Eleventy v0.11.0
Development

No branches or pull requests
2 participants
@zachleat @Ryuno-Ki