This repository has been archived by the owner on Oct 3, 2023. It is now read-only.
Depends on vulnerable package: minimist v0.0.8 and v1.2.0 #790
Labels
Comments
|
This was supposed to be fix, no? #787 |
|
Yes, that looks like it fixes at least the dependency on minimist 1.2.0. Couldn't see any changes to fix dependency on minimist 0.0.8. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Please answer these questions before submitting a bug report.
What version of OpenCensus are you using?
0.0.20
What version of Node are you using?
10.15.1
What did you do?
Run
npm installfor my application, then runnpm ls minimistWhat did you expect to see?
opencensus-node should only depend on packages that do not contain vulnerabilities.
What did you see instead?
Here's the dependency graph:
+-- @opencensus/nodejs@0.0.20
|
-- @opencensus/instrumentation-all@0.0.20 |-- @opencensus/instrumentation-grpc@0.0.20|
-- grpc@1.24.2 |-- node-pre-gyp@0.14.0| +-- mkdirp@0.5.1
| |
-- minimist@0.0.8 |-- rc@1.2.8| `-- minimist@1.2.0
Additional context
minimist v0.0.8 and minimist v1.2.0 contain a vulnerability - see https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-7598/
The text was updated successfully, but these errors were encountered: