New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update shelljs to 0.8.5 to mitigate the vulnerability GHSA-64g7-mvw6-v9qj #360
Comments
You have to fork the repository first. It should work as expected after that. |
Thanks! It's my first contribution to any open source project, hence didn't thought about forking! |
There is something I just realized reading the report below 👇
We don't use the loki/packages/core/src/dependency-detection.js Lines 15 to 17 in f7d5e65
So Loki is not really affected by shelljs/shelljs#1058 and the patch shelljs/shelljs#1060 doesn't really change anything for Loki from a code perspective. What do you think? @oblador |
Yeah, and also Loki's version is not locked to the vulnerable version. Simply update your project's lockfile, no change is really needed in Loki. |
Hi!
loki-core uses shelljs in version 0.8.3 which has the vulnerability GHSA-64g7-mvw6-v9qj. There are no braking changes mentioned in 0.8.4 and 0.8.5 here. I checked out the code, updated shelljs and run the unit tests and didn't found an issue. Due to missing permissions I couldn't create a PR.
Thanks for your work!
The text was updated successfully, but these errors were encountered: