Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE] Bump tsd to 0.21.0 to remove dependency on got #258

Closed
joshuarrrr opened this issue Jun 23, 2022 · 2 comments
Closed

[CVE] Bump tsd to 0.21.0 to remove dependency on got #258

joshuarrrr opened this issue Jun 23, 2022 · 2 comments

Comments

@joshuarrrr
Copy link
Member

joshuarrrr commented Jun 23, 2022

From opensearch-project/OpenSearch-Dashboards#1764, CVE-2022-33987 can be remediated by removing or updating got. For this project, the easiest fix is to update tsd, which no longer has a got dependency.

yarn why got
yarn why v1.22.18
[1/4] Why do we have the module "got"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "tsd#update-notifier#latest-version#package-json" depends on it
   - Hoisted from "tsd#update-notifier#latest-version#package-json#got"
Done in 0.31s.

tsd v0.17.0 removes dependency chain:

  • update-notifier
  • latest-version
  • package-json
  • got
@joshuarrrr
Copy link
Member Author

Note that this issue is blocked until we update the node dependency of this repo - 0.7.0 requires node 12: https://github.com/SamVerschueren/tsd/releases/tag/v0.17.0

@VachaShah
Copy link
Collaborator

Closed via #272

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants