You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a bug in nyc, we use semver ranges to install so the fixed versions are already allowed by nyc. The problem is with your yarn.lock or package-lock.json blocking the update. See istanbuljs/istanbuljs#476 for details and how resolve the lockfile error.
nyc 15 actually removes handlebars entirely so it will never result in another audit report via nyc. See #1104 if you want to try that version which will become latest stable very soon (be sure to check changelogs posted as comments for breaking changes).
As far as updating the dependency chain of 14 we have to prioritize the work we do. Older versions of nyc bundled dependencies which meant that npm audit vulnerabilities were in-fact our fault. We no longer bundle so this means that nyc itself is no longer the cause of most audit reports. If the vulnerability fix were an out of range update we would likely perform a backport to update our dependency but for in-range updates I simply don't have time (and it's fixable on the user side).
Link to bug demonstration repository
Expected Behavior
no security audits
Observed Behavior
violations due to use of handlebars version 4.5.2 (fixed in 4.5.3)
https://npmjs.com/advisories/1324
https://npmjs.com/advisories/1325
Troubleshooting steps
cache: false
in my nyc configEnvironment Information
The text was updated successfully, but these errors were encountered: