Comments (12)
ljharb
commented on July 19, 2024
2
We can revisit updating yargs past v11 if node 4 is dropped in the future.
from eslint-find-rules.
Xotic750
commented on July 19, 2024
1
I understand the effort part. :) I was not overly concerned, but explain that to my manager. :D
from eslint-find-rules.
ljharb
commented on July 19, 2024
like many npm audit reports, this is a false positive, as eslint-find-rules isn’t long-running enough for this to be a problem.
from eslint-find-rules.
ljharb
commented on July 19, 2024
Also mem and nodejs-mem are two different packages.
from eslint-find-rules.
Xotic750
commented on July 19, 2024
Ok, little confused here as to what github is on about?
from eslint-find-rules.
ljharb
commented on July 19, 2024
ah, maybe it's just a poorly-written CVE explanation.
Either way, it's a false positive for this tool, and we'd have to update yargs to avoid it, which I suspect isn't worth the effort.
from eslint-find-rules.
Xotic750
commented on July 19, 2024
I created a PR for a full dependency update: #308
All seems well with it, if you want to use it ;)
from eslint-find-rules.
Xotic750
commented on July 19, 2024
New PR #309
from eslint-find-rules.
ronkorving
commented on July 19, 2024
It's worth updating just to get rid of the false alarm for everybody who encounters it, who is currently forced to go investigate and waste a ton of time. I would suggest reopening.
from eslint-find-rules.
ljharb
commented on July 19, 2024
A better solution would be to direct efforts towards CVE factories and warning mechanisms (npm audit, github's vuln alerts) to find ways to minimize false positives rather than forcing churn on maintainers.
from eslint-find-rules.
G-Rath
commented on July 19, 2024
@ljharb Not quite sure why you think this is a false positive, as the dependency is quite clear:
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
I'm assuming you consider it a FP b/c it's not directly on eslint-find-rules, but instead one of its dependencies, but just want to ask in case I've missed something 🙂
That aside, since ESLint has now dropped Node4 support is there anything in particular that's keeping node@4 support around for you?
If it's a matter of time, I'm happy to do the bulk of the work if you'd be happy to review the PR 🙂
(also happy to wait until the new major of ESLint is released, so that node@8 support can be dropped at the same time)
from eslint-find-rules.
ljharb
commented on July 19, 2024
@G-Rath it's a false positive not because it's not in the dep graph, but because the CVE does not affect eslint-find-rule's usage of yargs and thus mem.
eslint-find-rules supports down to eslint 3; what eslint 6 has dropped isn't really relevant. There would need to be a very compelling reason to drop support of an old eslint, i think, and "there's a non-applicable audit warning" doesn't feel like one.
from eslint-find-rules.
Related Issues (20)
- Release new version with support eslint@5 HOT 1
- print as list HOT 2
- Scoped plugin error HOT 4
- eslint v6 support HOT 15
- Doesn't find unused rules in @typescript-eslint/eslint-plugin HOT 4
- Support overrides HOT 14
- eslint v7 support
- Handle typescript-eslint configuration HOT 1
- git clone error on windows HOT 6
- I'm not sure how to deal with renamed rule in ESLint 7.4.0 HOT 7
- Find unused plugin rules
- CHANGELOG missing HOT 3
- Breaks with ESLint 7.8.0 HOT 4
- Update dependencies HOT 5
- Support ESLint 8.x HOT 2
- Add support to the `rule.meta.docs.url` property to get URLs in verbose mode
- Rules in the "rules" json key are not being considered HOT 1
- No Option Provided with `--option` described in docs HOT 1
- Not able to save output as single column HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eslint-find-rules.