-
-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please update configstore
usage
#4594
Comments
Dependabot opened an alert in my repo because of the semver version. Your workaround closed the alert. Thanks for sharing! I'll follow this so that when it is resolved I may remove the override. |
@PeterJCLaw and @iainelder, Please reach out to configstore to update their requirements for I'll release CSpell 7 soon. It has been updated to ESM and uses configstore 6. See cspell/packages/cspell-lib/package.json Line 69 in 2e65be0
Making the changes to CSpell 6 are too extensive to warrant the change. |
I'll leave that up to others in this issue. I'm not a Javascript developer, just a user of cspell. |
Hrm. |
I just reread your comment. Is this already solved in CSpell 7?
If so, I'll upgrade from CSpell 6. |
I forget to mark this as completed. CSpell 7 ships with configstore 6. My plan is to move away from configstore (#4718) to conf. It is the same author, but with better support. Since the location of the config has changed, I need to come up with a transition plan. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
`cspell 6x transitively depends on semver 6.3.0, which has a reported regular expression denial-of-service vulnerability in versions prior to 7.5.3 (GHSA-c2qf-rxjj-qqgw). cspell's direct dependency on semver is already compatible with fixed versions, so the issue is just about the transitive dependency.
The transitive chain is as follows:
In theory this could be easily fixed by updating
confistore
from 5.x to 6.x, however 6.x is ESM which I suspect means this is blocked on #4267.confistore
6.x removes its dependence onmake-dir
in favour of the equivalent NodeJS builtin, though bumps its minimum supported NodeJS version to 12 (https://github.com/yeoman/configstore/releases). As cspell 6.x already depends on Node 14 however that aspect should not be an issue.For others affected by this -- I'm currently working around this by applying a package override:
make-dir
v4 bumps the minimum Node version required to 10 but otherwise seems to be compatible.The text was updated successfully, but these errors were encountered: