-
Notifications
You must be signed in to change notification settings - Fork 924
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-33987 #1703
Labels
Comments
Thanks for opening this issue. A contributor should be by to give feedback soon. In the meantime, please check out the contributing guidelines and explore other ways you can get involved. |
Looks like we need to update |
joao-paulo-parity
added a commit
to joao-paulo-parity/probot
that referenced
this issue
Jun 30, 2022
it's better to catch outdated dependencies before deployment, with tools such as dependabot, instead of only finding about it when you're about to run the application the motivation for having update-notifier isn't strong as per probot#1102 (comment) and it pulls in needless dependencies as showcased in probot#1703, therefore it's better to remove it
joao-paulo-parity
added a commit
to joao-paulo-parity/probot
that referenced
this issue
Jun 30, 2022
it's better to catch outdated dependencies before deployment, with tools such as dependabot, instead of only finding about it when you're about to run the application the motivation for having update-notifier isn't strong as per probot#1102 (comment) and it pulls in needless dependencies as showcased in probot#1703, therefore it's better to remove it BREAKING CHANGE: update-notifier will no longer be available for the CLI
joao-paulo-parity
added a commit
to joao-paulo-parity/probot
that referenced
this issue
Jun 30, 2022
it's better to catch outdated dependencies before deployment, with tools such as dependabot, instead of only finding about it when you're about to run the application the motivation for having update-notifier isn't strong as per probot#1102 (comment) and it pulls in needless dependencies as showcased in probot#1703, therefore it's better to remove it
gr2m
pushed a commit
that referenced
this issue
Jun 30, 2022
it's better to catch outdated dependencies before deployment, with tools such as dependabot, instead of only finding about it when you're about to run the application the motivation for having update-notifier isn't strong as per #1102 (comment) and it pulls in needless dependencies as showcased in #1703, therefore it's better to remove it
🎉 This issue has been resolved in version 12.2.5 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Got this warning recently through a Dependabot Alert about an insecure dependency (
got
), which seems to be used byupdate-notifier
.Title: Got allows a redirect to a UNIX socket #10
Apparently this was dealt with in yeoman/update-notifier@9183541 but that change also switched the module to ESM as mentioned in remy/nodemon#1961 (comment). It's worth mentioning that nodemon is considering dropping the dependency as per remy/nodemon#2023 (comment) and remy/nodemon#1961.
The text was updated successfully, but these errors were encountered: