You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flagon.apache.org by "Joshua Poore (JIRA)" <ji...@apache.org> on 2019/07/26 02:01:00 UTC

[jira] [Closed] (FLAGON-423) Update Package File to Fix Down Stream Dependencies

     [ https://issues.apache.org/jira/browse/FLAGON-423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua Poore closed FLAGON-423.
-------------------------------
    Resolution: Fixed

reduced affected dependencies by 280+ down to 1 remaining vulnerability in npm audit report.

> Update Package File to Fix Down Stream Dependencies
> ---------------------------------------------------
>
>                 Key: FLAGON-423
>                 URL: https://issues.apache.org/jira/browse/FLAGON-423
>             Project: Flagon
>          Issue Type: Sub-task
>          Components: UserALE.js
>    Affects Versions: UserALE.js 2.0.0, UserALE.js 2.0.1
>         Environment: node.js
>            Reporter: Joshua Poore
>            Assignee: Joshua Poore
>            Priority: Blocker
>             Fix For: UserALE.js 2.0.1, UserALE.js 2.0.0
>
>
> Because the Prototype Pollution vulnerability is so pervasive, npm is rolling back their "immutable" registry policy to allow for fixes to previous versions of ubiquitous dependencies (set-value, mixit, lodash). These fixes will bubble up to existing versions of major userale.js dev dependencies (gulp, nodemon, babel, etc., etc.). However, as the registry will accept changes to prior versions of dependencies, the hashes on these dependencies will change. This requires that we regenerate our package.json file. 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)