New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Publish new version resolving deep-extend vulnerability? #222
Comments
And this can be confirmed without installing fsevents as a dependency by running |
Thanks for the report but see #219 (comment). |
As explained in the issue description, all downstream packages already allow for the most recent versions of This does not require patch releases of |
As confirmation, try the following:
You will see that we get the following already (without any changes to this repo):
Another example:
This emits the warning I reported in the issue description. |
@rwjblue correct, it just needed new bundling, but I took the opportunity to bump anyway. |
Installing
fsevents
(generally through other tools likesane
orchokidar
) currently emits a warning.This warning is referencing
fsevents > node-pre-gyp > rc > deep-extend
as the dependency chain. An updated version ofdeep-extend
andrc
are available, and would be used under normal circumstances, but since this library bundlesnode-pre-gyp
(changing that seems to be tracked in #157) downstream consumers cannot resolve this vulnerability warning untilfsevents
is published again.Expand for full warning text
Note:
I realize there have been many issues reported here around these vulnerability warnings (#198, #200, #205, etc), and I am sorry that this will likely seem like "just more noise". I am hopeful that the details above make it clear that this isn't a duplicate and hopefully makes addressing this one easier.
The text was updated successfully, but these errors were encountered: