Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High severity vulnerability detected in sane dependencies #8291

Closed
harol-rodriguez opened this issue Nov 3, 2020 · 1 comment
Closed

High severity vulnerability detected in sane dependencies #8291

harol-rodriguez opened this issue Nov 3, 2020 · 1 comment
Labels
2.x pending triage

Comments

@harol-rodriguez
Copy link

Versions

  • nuxt: v2.14.7
  • node: v12.14.0

Reproduction

A security assessment was performed and vulnerabilities were found to dependency sane

It is requested to update from version " y18n": "^4.0.0" to " y18n": "^5.0.5"

reference:
yargs/y18n#107
yargs/y18n#108

Additional Details

What is Expected?

What is actually happening?
@danielroe
Copy link
Member

@harol-rodriguez

  • sane is not installed in Nuxt's production dependencies; it is a dependency of jest and only installed in development
  • node-sass seems to be the only non-development package that depends on y18n. The latest version of node-sass still depends on sass-graph which depends on yargs 13 (latest is 16). However node-sass should only be run in the development/build-time environment of a user of Nuxt so I doubt this is a significant risk in context. Users can always provide a yarn resolution to pin their y18n version as appropriate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x pending triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@harol-rodriguez @danielroe