Fix: Upgrade yargs to ^16.0.0 #96
Comments
|
this isn't actually a high severity bug here so I'll get around to this today or tomorrow, feel free to open a pull request if you want to speed things along |
|
@calvinmetcalf , I have a PR for this, which also resolves the Prototype Pollution vulnerability in y18n by upgrading to yargs 16.1.1. All tests pass. If you provide me the appropriate access rights, I can push up my branch and open a PR. |
|
you don't need any rights to open up a PR, just open it from you're forked version to mine |
|
Ah, that's the rub. I never forked it. Just pulled down your repo and tried
to create a branch.
I've attached the patch file here.
If that doesn't work, I can fork and open the PR.
Cheers.
…On Fri, Nov 27, 2020 at 1:46 PM Calvin Metcalf ***@***.***> wrote:
you don't need any rights to open up a PR, just open it from you're forked
version to mine
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#96 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAUTXIQF4NTML263GIQEJXLSR6USDANCNFSM4T7432ZQ>
.
|
|
ok pushed up a fix will publish when tests pass
On Fri, Nov 27, 2020 at 1:16 PM Ariel Perez <[email protected]>
wrote:
… Ah, that's the rub. I never forked it. Just pulled down your repo and tried
to create a branch.
I've attached the patch file here.
If that doesn't work, I can fork and open the PR.
Cheers.
On Fri, Nov 27, 2020 at 1:46 PM Calvin Metcalf ***@***.***>
wrote:
> you don't need any rights to open up a PR, just open it from you're
forked
> version to mine
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <
#96 (comment)
>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AAUTXIQF4NTML263GIQEJXLSR6USDANCNFSM4T7432ZQ
>
> .
>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#96 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAITRH5DMQV65DGJ325GJM3SR7UJRANCNFSM4T7432ZQ>
.
--
-Calvin W. Metcalf
|
|
Awesome. Thanks.
I ran them locally and all looked good.
On Fri, Nov 27, 2020, 6:27 PM Calvin Metcalf <[email protected]>
wrote:
… ok pushed up a fix will publish when tests pass
On Fri, Nov 27, 2020 at 1:16 PM Ariel Perez ***@***.***>
wrote:
> Ah, that's the rub. I never forked it. Just pulled down your repo and
tried
> to create a branch.
>
> I've attached the patch file here.
>
> If that doesn't work, I can fork and open the PR.
>
> Cheers.
>
> On Fri, Nov 27, 2020 at 1:46 PM Calvin Metcalf ***@***.***
>
> wrote:
>
> > you don't need any rights to open up a PR, just open it from you're
> forked
> > version to mine
> >
> > —
> > You are receiving this because you commented.
> > Reply to this email directly, view it on GitHub
> > <
>
#96 (comment)
> >,
> > or unsubscribe
> > <
>
https://github.com/notifications/unsubscribe-auth/AAUTXIQF4NTML263GIQEJXLSR6USDANCNFSM4T7432ZQ
> >
> > .
> >
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <
#96 (comment)
>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AAITRH5DMQV65DGJ325GJM3SR7UJRANCNFSM4T7432ZQ
>
> .
>
--
-Calvin W. Metcalf
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#96 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAUTXIV4ZUAJA72NPPOWN7TSR7VSDANCNFSM4T7432ZQ>
.
|
|
Note that this change should be a breaking change. Previously, copyfiles would work on node 8.x as it was using yargs 15.3.1, which was using engines >= 8. Now, copyfiles uses yargs 16.1.0, using engines >= 10. |
|
Good callout Jamie.
…On Mon, Nov 30, 2020 at 8:42 PM Jamie Peabody ***@***.***> wrote:
Note that this PR should be a breaking change. Previously, copyfiles would
work on node 8.x as it was using yargs 15.3.1, which was using engines >=
8 <https://github.com/yargs/yargs/blob/v15.3.1/package.json#L75>. Now,
copyfiles uses yargs 16.1.0, using engines >= 10
<https://github.com/yargs/yargs/blob/v16.1.0/package.json#L117>.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#96 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAUTXIS2EWD6WJ52PMRCJILSSP7TVANCNFSM4T7432ZQ>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
There is a patch to a high severity vulnerability available for
yargs. Can you please update to version^16.0.0or so? It would resolve CVE-2020-7774.https://snyk.io/test/npm/yargs/15.3.1
Thank you in advance!
The text was updated successfully, but these errors were encountered: