Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Acorn to address security vulnerability #18

Merged
merged 3 commits into from
May 19, 2020
Merged

Update Acorn to address security vulnerability #18

merged 3 commits into from
May 19, 2020

Conversation

warerebel
Copy link
Contributor

@warerebel warerebel commented Apr 22, 2020
edited
Loading

Updated Acorn to address security vulnerability, also updated all other dependencies.

Updated to use nyc which supersedes instanbul for test coverage.

Added a travis CI build check against the current LTS version of Node.
Removed travis CI build checks against node version 4 and 5

Upgrade dependencies:
acorn: 7.1.1
object-assign: 4.1.1
Upgrade dev-dependencies:
removed instanbul
replaced with nyc 15.0.1
testit: 3.1.0

Chris Lount added 2 commits April 22, 2020 21:28
Test travis build against latest LTS node version
e3cf3bd 
Upgrade dependencies:
acorn: 4.0.2
object-assign: 4.0.1
Upgrade dev-dependencies:
removed instanbul
replaced with nyc
testit: 3.1.0
Use Node LTS version for Travis CI checks
2323656
@warerebel warerebel mentioned this pull request Apr 22, 2020
Closed
@warerebel
Copy link
Contributor Author

@ForbesLindesay as the last person to commit on this repo, are you able to review this pull request?
Thanks.

@ForbesLindesay
Copy link
Member

Please remove the package-lock.json file. This isn't going to be super high priority because there is no actual security vulnerability here. This package is currently on version ~4.0.2 which falls well outside the range of vulnerable acorn versions: https://snyk.io/vuln/npm:acorn

@rollingversions
Copy link

rollingversions bot commented May 19, 2020
edited
Loading

Change Log for is-expression (3.0.0 → 4.0.0)

Breaking Changes

  • Upgrade acorn from 4.0.2 to 7.1.1

    This changes the default mode to ES2019, meaning many things now count as valid expressions that were previously considered errors.

Edit changelog

@ForbesLindesay ForbesLindesay merged commit fa64749 into pugjs:master May 19, 2020
@ForbesLindesay
Copy link
Member

Released as 4.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@warerebel @ForbesLindesay