Comments (4)
Thanks for your patience here folks, lerna 8.1.3 is available now and a freshly generated workspace only contains tar 6.2.1
Please also remember that lerna, as a dev tool which exclusively runs on users' machines, is not subject to exploitation by such a vulnerability, you would literally have to attack yourself on your own computer. Or, put another way, if an attacker already had access to your local machine, you have bigger problems than your tar version 😄
I am happy we can remove an irrelevant warning from your feedback systems, but you may also want to consider if there is a way for you to mark certain warnings as irrelevant/not applicable.
This article is on this topic is worth a read if you are not familiar: https://overreacted.io/npm-audit-broken-by-design/
from lerna.
There is an automatic PR dealing with this issue.
An "Exceeded timeout of 60000 ms for a hook." was thrown by the CI here.
Not sure whether it is just a glitch with CI agents or if the tar package update broke something.
from lerna.
@JamesHenry Could you please take a look
from lerna.
A friendly nudge - this issue continues to appear on the security badge for lerna repos using dependabot...
from lerna.
Related Issues (20)
- Missing Dependancy when creating a react app in packages folder.
- in lerna independent mode, when i change one package, but lerna will update all packages, why?? HOT 1
- `lerna list` output is truncated at 8192 bytes when `exec`ed HOT 2
- Encountering No changed packages to publish After Upgrading Lerna and Switching to Independent Versioning HOT 5
- Package.json workspaces field is being ignored HOT 1
- No GitHub release is created when using a 'tag-version-separator' other than '@' HOT 3
- Can Lerna Update Only the Version in package.json Without Code Changes? HOT 4
- lerna publish: issuing a WARN for private packages do not make sense
- Running `lerna publish` on Github updates `pnpm-lock.yaml` quotes
- Breaking change added to the footer but still minor version release
- lerna success found 0 packages HOT 2
- Cannot spot the changed packages correctly when a custom version provided as command parameter
- lerna version --conventional-graduate does not generate correct changelog HOT 3
- Lerna v8.1.2 uses old version of npm-registry-fetch causing vulnerabilities HOT 1
- Lerna doesn't honor `--yes` option
- tar dependency is broken after `npm audit fix` HOT 3
- Lerna creates identical cache records for different cache hashes HOT 2
- `npx lerna` fails to run with `undefined` error HOT 1
- run build cannot find package when "packages" is in the path HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lerna.