New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency "update-notifier" (and its internal "dot-prop") #360
Comments
@subukamath currently to not break things we're forced to maintain Node.js v6+ support, hence we stick to older |
Still, in 1-2 months period we should release new major, and then we'll definitely upgrade all dependencies |
Thank you. |
Any updates on this? A high severity warning was published on July 29 https://www.npmjs.com/advisories/1213 |
Hopefully new major will be released September-October |
Related to serverless/serverless#7486
The existing version of "update-notifier": "^2.5.0" dependency used in this library is using an older version of configstore which in turn has a dependency of dot-prop@4.2.0 which has a "Prototype Pollution" security vulnerability.
Please can you update to latest version of configstore which is using the latest version of dot-prop that has addressed this vulnerability.
The text was updated successfully, but these errors were encountered: