replacing liboneandone with liboneandone-2 with updated mocha dependency#681
Open
pfuri wants to merge 2 commits intopkgcloud:masterfrom
Open
replacing liboneandone with liboneandone-2 with updated mocha dependency#681pfuri wants to merge 2 commits intopkgcloud:masterfrom
pfuri wants to merge 2 commits intopkgcloud:masterfrom
Conversation
|
Are there any plans to merge this? My audits keep failing because of this dep :( |
|
Hi! I really think this PR (or any PRs related to fixing vulnerabilities caused by old dependencies) should be merged, seems like a necessary change 🙏 ! Are there any plans of doing it? Sorry to bother @indexzero, maybe you can help us with this. Thanks! |
|
My audits are failing too, partially because of this. |
|
Same here, we have a failed build because of it. Any new on getting this solved? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The liboneandone package is no longer supported and contains an older version of mocha as a dependency that has a known vulnerabilities.
The latest commit of liboneandone has an update for this dependency which resolves these vulnerabilities by using an updated version of mocha, however, liboneandone hasn't been published to npm since July of 2018.
liboneandone-2 is a fork of the liboneandone package at the latest commit.
There is an open pull request for pkgcloud which addresses this through a direct reference to the GitHub commit in liboneandone, but direct references to GitHub rather than to npm modules can cause problems for organizations with proxies.
pkgcloud Issue References:
gcloudandliboneandonepkgcloud Pull Request References:
liboneandone Issue References: