Update the lockfile to automatically remove the vulnerability introduced in reshuffle@1.0.9 #512
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Title: Update the lockfile to automatically remove the vulnerability introduced in reshuffle@1.0.9
Hi, @ashevat, I have reported a vulnerability in package tedious.
As far as I am aware, vulnerability CVE-2021-28458 detected in package @azure/ms-rest-nodeauth<3.0.8 is directly referenced by tedious@6.7.0, on which your package reshuffle@1.0.9 transiively depends. As such, this vulnerability can also affect reshuffle@1.0.9 via the following path:
reshuffle@1.0.9 ➔ mssql@6.3.2 ➔ tedious@6.7.0 ➔ @azure/ms-rest-nodeauth@2.0.2(vulnerable version)Since tedious has released a new patched version tedious@6.7.1 to resolve this issue (tedious@6.7.1 ➔ @azure/ms-rest-nodeauth@3.0.10(fix version)), then this vulnerability patch can be automatically propagated into your project only if you update your lockfile. The following is your new dependency path :
reshuffle@1.0.9 ➔ mssql@6.3.2 ➔ tedious@6.7.1 ➔ @azure/ms-rest-nodeauth@3.0.10(vulnerability fix version).A warm tip.^_^
The text was updated successfully, but these errors were encountered: