Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-33987 #218

Closed
danepowell opened this issue Jun 22, 2022 · 2 comments
Closed

CVE-2022-33987 #218

danepowell opened this issue Jun 22, 2022 · 2 comments

Comments

@danepowell
Copy link

This package should update its dependency on latest-version to at least v6.0.0 to fix a downstream vulnerability in got. See remy/nodemon#2023 for details.
@danepowell danepowell mentioned this issue Jun 22, 2022
Closed
@erunion
Copy link

erunion commented Aug 16, 2022

@sindresorhus Can you update latest-version in the 5.x tag series as well? There are a lot of packages out here that are using it and can't just upgrade to ESM.

@ryanblock
Copy link

Since ensuring the safety and security of developers who cannot change to ESM has not been a priority for this project, I've created a fork here: https://www.npmjs.com/package/update-notifier-cjs

No meaningful logic changes have occurred to this library since making the change to ESM; this forked version is just 5.x, but with with two other Sindre dependencies vendored so as to enable making use of the got patch that addresses CVE-2022-33987.

@FinnWoelm FinnWoelm mentioned this issue Apr 22, 2023
Open
@Roger-Sa Roger-Sa mentioned this issue Feb 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@erunion @ryanblock @danepowell