Update vulnerable packages #763
Comments
rorymckinley
changed the title
|
decode-uri-component: This library is only used by devDependencies, so hopefully a safe change to make . The version to be upgraded is |
|
braces: "if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop" - per GHSA-grv7-fg5c-xmjg.
Unfortunately, |
|
@rorymckinley live-server is only used by an out of date ad unused dev server. We can just remove it and maybe fix the server later (i don't think the demo even needs it). I'll raise an issue to fix / update the dev demo. You can just remove the |
|
Note to self: When submitting the PR, add 'alarming comments' re: the |
|
Updated typesync - bumped up two minor versions as it was depending on ip which does not have a patch for the latest version and no patch on the horizon. |
|
postcss: Vulnerability relates to parsing of untrusted CSS - also only a devDependency. |
|
micromatch - vulnerable to regex DOS - used in a number of prod dependencies, but only 3 patch version bump needed to get a non-vulnerable version. |
|
word-wrap: devDependency vulnerable to a regex DOS. |
This is a bundle issue to cover upgrading issues picked up as a combination
pnpm auditand dependabot. Each upgrade will be covered by a comment on the issue, covering the reasoning for the upgrade.The text was updated successfully, but these errors were encountered: