Security vulnerability in mem dependency #561

Harmon758 · 2019-07-15T22:41:57Z

The version of yargs being used has a mem dependency with a security vulnerability:
sindresorhus/memoize#14 (Fixed with sindresorhus/memoize@da4e439 / sindresorhus/memoize#19)
sindresorhus/os-locale#31
yargs/yargs#1209 (Fixed with yargs>=12.0.2: yargs/yargs@efc0970 / yargs/yargs#1195)

Dependency hierarchy:

`-- idyll@4.5.3
  `-- yargs@8.0.1
    `-- os-locale@2.1.0
      `-- mem@1.1.0

idyll/packages/idyll-cli/package.json

Line 73 in 43ac3aa

"yargs": "8.0.1"

GitHub has recently started creating security alerts for this vulnerability:

The text was updated successfully, but these errors were encountered:

mathisonian · 2019-07-16T01:47:52Z

I haven't seen a security alert for this yet - we released a dependency update a few days ago (#558) is it possible this is already fixed in the latest?

edit: never mind, just checked yarn.lock and confirmed mem@1.1.0 is still there.

Harmon758 · 2019-07-18T13:46:22Z

Resolved by 8610555 (#562) in idyll@4.6.0.

mathisonian mentioned this issue Jul 16, 2019

update yargs #562

Merged

mathisonian added security dependencies Pull requests that update a dependency file labels Jul 16, 2019

Harmon758 closed this as completed Jul 18, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security vulnerability in mem dependency #561

Security vulnerability in mem dependency #561

Harmon758 commented Jul 15, 2019

mathisonian commented Jul 16, 2019 •

edited

Harmon758 commented Jul 18, 2019

Security vulnerability in mem dependency #561

Security vulnerability in mem dependency #561

Comments

Harmon758 commented Jul 15, 2019

mathisonian commented Jul 16, 2019 • edited

Harmon758 commented Jul 18, 2019

mathisonian commented Jul 16, 2019 •

edited