Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): bump vm2 to 3.9.4 in package-lock #2950

Merged
merged 1 commit into from
Oct 19, 2021
Merged

chore(deps): bump vm2 to 3.9.4 in package-lock #2950

merged 1 commit into from
Oct 19, 2021

Conversation

tshuli
Copy link
Contributor

@tshuli tshuli commented Oct 19, 2021

Problem

  • bumps vm2 to 3.9.4 in package-lock to fix high severity vulnerability

Copy link
Contributor

@karrui karrui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

small q: how can we be sure this doesn't revert since this dependency update is only in the lockfile and not in package.json?

@tshuli
Copy link
Contributor Author

tshuli commented Oct 19, 2021

as discussed, it could, but in this case vm2 is a dependency of [email protected], which is a nested depedency itself. 3.9.4 is still compatible with the versioning
"vm2": "^3.9.3"

as a further check, snyk would pick it up if there's any reversion

@tshuli tshuli merged commit 9b75b70 into develop Oct 19, 2021
@tshuli tshuli deleted the deps/vm2 branch October 19, 2021 02:15
@tshuli tshuli mentioned this pull request Oct 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants