Conversation
resolves #54 This allows js-yaml 4.1.1 to be used, to avoid [CVE-2025-64718][]. [CVE-2025-64718]: https://www.cve.org/CVERecord?id=CVE-2025-64718
| "js-yaml": "4.1.x", | ||
| "ports": "1.1.x", | ||
| "underscore": "1.12.x" |
There was a problem hiding this comment.
Would be great to have more flexibility:
| "js-yaml": "4.1.x", | |
| "ports": "1.1.x", | |
| "underscore": "1.12.x" | |
| "js-yaml": "^4.1.1", | |
| "ports": "^1.1.0", | |
| "underscore": "^1.13.7" |
ports hasn't been updated in 12 years, underscore@1.12.1 is 5 years old
At least for underscore something can be done, 1.13.7 is 16 months old, in 2 months it will also start triggering security warnings, but at least it will be easier to justify them.
|
Can this please be merged ASAP? We need this fix to address that CVE. Thanks! |
|
I'll eventually get to this, but it's on my back burner - I have no skin in this game. We'll have to find a new maintainer if there end up being frequent dependency updates ... because I have no time to deal with this. Presumably anyone willing to help maintain this would need to become a member of this org. |
|
@pmuellr Hello again! When can we expect this PR to be merged and this vulnerability fix to be published? Thanks! |
|
published to npm as 1.2.5: https://www.npmjs.com/package/cfenv/v/1.2.5 |
|
Thanks, @pmuellr , that was a big help. :-) All the best! |
3 participants
resolves #54
This allows js-yaml 4.1.1 to be used, to avoid CVE-2025-64718.