Comments (6)
joshgoebel
commented on September 26, 2024
I believe this is covered fully in GHSA-7wwv-vh3v-89cq. There is no real reason anyone on the v10 series already shouldn't upgrade ASAP.
At a glance I'd assume cli-highlight is definitely at risk from these security issues.
If you have more specific questions I'd be happy to help.
from cli-highlight.
joshgoebel
commented on September 26, 2024
Hard to say if your own repo is at risk, would depend how/if you actually use cli-highlight... (see the advisory)
from cli-highlight.
felixfbecker
commented on September 26, 2024
We depend on highlight.js ^10, so 10.4.1 is within range and will be picked by default on new installs. Existing consumers can easily upgrade to 10.4.1 using npm upgrade/yarn upgrade (same way they would have to upgrade to a new version of cli-highlight).
from cli-highlight.
joshgoebel
commented on September 26, 2024
@felixfbecker I may not be as well versed in npm stuff as you are.
Is there any point in bumping your package.json.lock file (which references an older insecure version), or does that only really apply to developers working directly on the cli-highlight project itself?
from cli-highlight.
felixfbecker
commented on September 26, 2024
Yes, bumping the package-lock.json version will upgrade you to the newer version. npm upgrade should do this to my knowledge.
from cli-highlight.
corydozen
commented on September 26, 2024
My mistake. There's no need to bump the version on this package. It can be upgraded downstream. Thanks for the conversation.
from cli-highlight.
Related Issues (20)
- Upgrade to Highlight.js v10 HOT 6
- Cli-highlight issue, with chalk.js for Nest.js application
- Output contains ANSI escape code if redirecting output to file HOT 3
- UnhandledPromiseRejectionWarning: TypeError: value.replace is not a function HOT 3
- Pretty print?
- [Question] Text in clipboard > Highlight > Put back in clipboard HOT 2
- Use Highlight.js themes?
- Beautiful and exceptional library
- Port to deno?
- Version 10 of node.js has been released
- Action Required: Fix Renovate Configuration
- cli-highlight errors out with certain inputs even though `ignoreIllegals` is set to true HOT 5
- Dependency deprecation warning: validate-commit-msg (npm)
- Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue HOT 3
- The automated release is failing 🚨
- Feature request: custom languages HOT 1
- Is there a way to use for highlighting the node repl or ts-node? HOT 1
- Change theme HOT 1
- Dependency Dashboard
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli-highlight.