Skip to content

chore(package): update cosmiconfig #818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
piotr-oles merged 2 commits into from
Oct 29, 2023
Merged

chore(package): update cosmiconfig #818

piotr-oles merged 2 commits into from
Oct 29, 2023

Conversation

@mkhraisha
Copy link
Contributor

@mkhraisha mkhraisha commented Jun 21, 2023

Similar to #815 except it updates yarn.lock.

cosmiconfig dropped dependency on the yarn npm package which has CVEs

@mkhraisha
Copy link
Contributor Author

mkhraisha commented Jun 27, 2023

@piotr-oles

@LucianBuzzo
Copy link
Contributor

LucianBuzzo commented Sep 7, 2023

This also fixes an issue related to the vulnerable v1 version of the yaml package - GHSA-f9xv-q969-pqx4
Unfortunately v8.0.0 of cosmiconfig dropped support for v12 of node, which is still supported by fork-ts-checker-webpack-plugin - see https://github.com/cosmiconfig/cosmiconfig/blob/main/CHANGELOG.md#800
This is a little bit of a headache, because you end up with CVE warnings for any installation of NestJS, since the @nestjs/cli package has a transitive dependency on cosmiconfig (via this package) and the older version of cosmiconfig has a dependency on the vulnerable yaml version!
I'm not sure on the best way to proceed, my personal preference would be for the maintainers to cut a new major version and drop support for node v12, since security support for v12 ended over 1 year ago.

@LucianBuzzo LucianBuzzo mentioned this pull request Sep 7, 2023
Merged
@piotr-oles piotr-oles force-pushed the chore/update_cosmiconfig branch from e29e40f to d63698a Compare October 4, 2023 07:03
@LucianBuzzo LucianBuzzo mentioned this pull request Oct 4, 2023
Closed
3 tasks
@piotr-oles piotr-oles merged commit 26a81ed into TypeStrong:main Oct 29, 2023
@github-actions
Copy link

github-actions bot commented Oct 29, 2023

🎉 This PR is included in version 9.0.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mkhraisha @LucianBuzzo @piotr-oles