-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jest-resolve
transitively pulls in a moderate npm audit
issue
#11379
Comments
We have migrated from |
No, we landed it in v26 first, but had to revert it as was a breaking change (due to bugs later fixed, but I'm hesitant to try again, and the overhead of making releases is not negligible, and false positives from tooling is not high on my list of priorities).
I hope so! You can see the milestone. I think I'll push most of those for 28 just to get 27 out though, except for #11263, #10577 and #11167 (PRs for the latter ones welcome 👍). So 1-2 weeks? Possibly |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
An npm advisory in
hosted-git-info
was posted this morning. This leadsnpm audit
to report moderate severity vulnerabilities in the current version of jest, 26.6.5 (and it can only suggest rolling back to[email protected]
, which does not actually help). Specifically, this comes fromjest
's use ofread-pkg-up
.My guess is it's not super likely that this presents a serious security threat in the jest context, but it's nice to keep one's tree free of audit issues when feasible.
Reproduction:
The text was updated successfully, but these errors were encountered: