New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability in node-pre-gyp dependency #200
Comments
Thanks for the bug report but it's basically a non-issue. node-pre-gyp is the build tool, it's not used by fsevents at runtime. Prototype pollution is not a concern. edit: also, duplicate of #198. |
When node-pre-gyp publishes a version with updated deps I'll update the version bundled with fsevents to suppress the warnings. |
@es128 node-pre-gyp has now upgraded (see mapbox/node-pre-gyp#347). Please can you update fsevents? Edit: nevermind, just seen #201 :) |
Node Security Project is reporting a prototype pollution attack present in one of the dependencies of fsevents.
If node-pre-gyp 0.6.39 is replaced by 0.6.37 all of fsevent's tests still pass and the vulnerable module is no longer used.
The text was updated successfully, but these errors were encountered: