You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NPM complains when trying to install any package that depends on obsidian-calendar-ui due to a dependency on svelte < 4.59.0.
For example, when installing any package or plugin that depends on the latest versions of dataview, which in turn depend on obsidian-calendar-ui:
$ npm i
added 261 packages, and audited 262 packages in 22s
96 packages are looking for funding
run `npm fund` for details
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
$ npm audit
# npm audit report
svelte <3.49.0
Severity: moderate
Svelte vulnerable to XSS when using objects during server-side rendering - https://github.com/advisories/GHSA-wv8q-r932-8hc7
fix available via `npm audit fix --force`
Will install obsidian-dataview@0.4.21, which is a breaking change
node_modules/svelte
obsidian-calendar-ui *
Depends on vulnerable versions of svelte
node_modules/obsidian-calendar-ui
obsidian-dataview >=0.4.22
Depends on vulnerable versions of obsidian-calendar-ui
node_modules/obsidian-dataview
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Not sure if the issue should be addressed here or downstream. I would imagine that even after obsidian-calendar-ui updates (and maybe you already have! :) ), all the downstream dependents need to update as well.
Either way, I thought I might bring this to your attention here, and perhaps you might have suggestions as to approaches for down-down-downstream package developers such as myself ?
Please feel free to close if this is not really anything that should be discussed here (e.g., it's all really the downstream users responsibilities ...)
The text was updated successfully, but these errors were encountered:
NPM complains when trying to install any package that depends on
obsidian-calendar-uidue to a dependency on svelte < 4.59.0.For example, when installing any package or plugin that depends on the latest versions of dataview, which in turn depend on obsidian-calendar-ui:
The issue is flagged on dataview's site: blacksmithgu/obsidian-dataview#2288, and presumably others.
Not sure if the issue should be addressed here or downstream. I would imagine that even after obsidian-calendar-ui updates (and maybe you already have! :) ), all the downstream dependents need to update as well.
Either way, I thought I might bring this to your attention here, and perhaps you might have suggestions as to approaches for down-down-downstream package developers such as myself ?
Please feel free to close if this is not really anything that should be discussed here (e.g., it's all really the downstream users responsibilities ...)
The text was updated successfully, but these errors were encountered: