Minimist dependent package vulnerability due to older version usage #945
Comments
|
Hello, The same problem! Looking forward to the fix :) Thanks! |
|
Looks like the package.json shows that the upgrade has been done, but we're just lacking a release 🙏🏻 |
|
Hopefully this gets looked into asap |
|
I wouldn't count on a release anytime soon; see #914 (comment) for more details. |
brett-vendia
pushed a commit
to CodeGenieApp/serverless-express
that referenced
this issue
Jun 30, 2022
for details see commitizen/cz-cli#945 and commitizen/cz-cli#914
|
We're just lacking a release 🤯 |
|
I believe this is fixed in the new release, 4.2.5. |
|
I note that your renovate bot has updated the I would suggest that you allow "dependencies" to be updateable using "^x.x.x" syntax rather than pinning them thus allowing consumers of this package to take security updates without having to wait on yourselves. |
OneDev0411
added a commit
to OneDev0411/serverless-express
that referenced
this issue
Mar 16, 2023
for details see commitizen/cz-cli#945 and commitizen/cz-cli#914
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
We are using commitizen package in our microservice api. As we know commitizen has a dependency on minimist package and it shows us a vulnerablility during our docker image scan.
Could you guys please update your package to a newer version or may be upgrade the minimist package to it's fixed version which is 1.2.6?
Hope to see the resolution soon on this issue. Thanks !
The text was updated successfully, but these errors were encountered: