New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency Bot warning about vulnerable dependencies: ssri
and is-svg
#6375
Comments
Update: |
As said earlier, they are upstream issues, there's nothing we can do here. They're considered vulnerabilities because if you use these package versions in your Node.js web server, and process user inputs with them, your server might get compromised. But that's not the use case of Vue CLI, which is a developer tool. |
Thank you for the helpful information @sodatea 👍 We've turned off the |
Version
4.5.9
Reproduction link
https://github.com/upstage-org/mobilise
Environment info
Steps to reproduce
There is no step at all, everything was fine until Github dependency bot discover these vulnerable a few days ago, see attachment below:
What is expected?
No warning from Github's dependency bot
What is actually happening?
Dependency bot is warning about vulnerable inside these indirect dependency: ssri and is-svg
ssri
andis-svg
is not our direct dependency, after inspecting the yarn.lock we discover that it was peer dependency of @vue/cli-serviceThe text was updated successfully, but these errors were encountered: