Patch vulnerability from dependency requirejs #429
Comments
:( Only current workaround is downgrading to madge 0.6.0 🤯 requirejs *
Severity: high
jrburke requirejs vulnerable to prototype pollution - https://github.com/advisories/GHSA-x3m3-4wpv-5vgc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/requirejs
module-lookup-amd >=4.0.0
Depends on vulnerable versions of requirejs
node_modules/module-lookup-amd
filing-cabinet >=1.2.2
Depends on vulnerable versions of module-lookup-amd
node_modules/filing-cabinet
dependency-tree >=5.2.0
Depends on vulnerable versions of filing-cabinet
node_modules/dependency-tree
madge >=1.0.0
Depends on vulnerable versions of dependency-tree
node_modules/madge |
was fixed in 2.3.7! i'm using yarn resolutions to work around. in package.json: |
|
Indeed, this is solved for me as well, even without the extra resolutions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See vulnerability here GHSA-x3m3-4wpv-5vgc
The requirement comes from a transitive dependency inside
dependency-tree. A fix could be to ask them to fix or use another library.The text was updated successfully, but these errors were encountered: