You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
馃憢 Hi! Coming over from mochajs/mocha#5070, there's a trail in our dependencies that ends with an old version of tough-cookie and starts with our dependency on assetgraph. Bottom-to-top:
Sure, but note that we do releases from the v7 branch, where jsdom is at 16.x and we still support node.js 12. Jsdom tends to be quite aggressive with not supporting older node versions, so we can't really upgrade to ^23 until we release a new major of assetgraph.
馃憢 Hi! Coming over from mochajs/mocha#5070, there's a trail in our dependencies that ends with an old version of
tough-cookie
and starts with our dependency onassetgraph
. Bottom-to-top:tough-cookie
had a security report: GHSA-72xf-g2v4-qvf3 -> CVE-2023-26136 Prototype Pollution vulnerability聽salesforce/tough-cookie#291 ->tough-cookie@4.1.3
jsdom
: has a dependency ontough-cookie
. Update dependencies聽jsdom/jsdom#3626 bumped it to^4.1.3
;jsdom@23.0.0
included the upgradeassetgraph
still has a dependency onjsdom@^21.0.0
.Would you accept a PR that bumps
jsdom
to^23.0.0
?AssetGraph is very cool by the way. Thanks for working on it! 馃槃
The text was updated successfully, but these errors were encountered: