You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NPM is currently alerting users to a severe error in the CLI when installing or working with this package, @semantic-release/gitlab, specifically referencing an exploit available in the parse-path dependency when using versions < 5.0.0 when examining details from npm audit.
# npm audit report
parse-path <5.0.0
Severity: high
Authorization Bypass in parse-path - https://github.com/advisories/GHSA-3j8f-xvm3-ffx4
fix available via `npm audit fix --force`
Will install @semantic-release/gitlab@1.0.0, which is a breaking change
node_modules/@semantic-release/gitlab/node_modules/parse-path
@semantic-release/gitlab >=1.0.1
Depends on vulnerable versions of parse-path
node_modules/@semantic-release/gitlab
2 high severity vulnerabilities
The suggested fix is to install version 1.0.0 of this package which is quite a difference from the latest versions available.
Platform: Windows 10 Pro (19044.1766 - 21H2) Node: 14.19.1 NPM: 8.6.0
Since I did not see this reported anywhere, I have submitted an issue for tracking and possibly a related patch.
The text was updated successfully, but these errors were encountered:
xr-james
changed the title
Severe security issue reported by npm for dependency parse-path <5.0.0
High security issue reported by npm for dependency parse-path <5.0.0
Jul 10, 2022
Thanks @xr-james, there are already some automated PRs to upgrade this dependency (#415, #419 and #420) but the upgrade seems to break the plugin. I'll have a look!
NPM is currently alerting users to a severe error in the CLI when installing or working with this package,
@semantic-release/gitlab
, specifically referencing an exploit available in theparse-path
dependency when using versions < 5.0.0 when examining details fromnpm audit
.The suggested fix is to install version
1.0.0
of this package which is quite a difference from the latest versions available.Platform: Windows 10 Pro (19044.1766 - 21H2)
Node: 14.19.1
NPM: 8.6.0
Since I did not see this reported anywhere, I have submitted an issue for tracking and possibly a related patch.
The text was updated successfully, but these errors were encountered: