Vulnerability with dependency yaml@2.0.0-1

Question

Vulnerability with dependency yaml@2.0.0-1

ankit201206 opened this issue 2 years ago · 6 comments

ankit201206 commented 2 years ago

There is a security vulnerability discovered with a deep-down dependency of yaml@2.0.0-1. It looks like this has been resolved with v2.2.2, so an upgrade of that dependency version to v2.2.2 seems to be in order.

Answer 1 · 2023-04-25T16:02:22.000Z

Hi, @ankit201206 thanks

can you send a pr fixing it, please?

Answer 2 · 2023-04-26T13:55:05.000Z

There's a PR already from the dependency bot - #360

Answer 3 · 2023-05-04T07:30:44.000Z

@daniloab , Hi! Please let us know, what is ETA of new version release with this fix?

Answer 4 · 2023-05-04T13:12:31.000Z

@daniloab , Hi! Please let us know, what is ETA of new version release with this fix?

We need a fix in the yaml 2.2.2 dependabot pull request. Can someone fix this for us, please? Or check why the tests are breaking it

Answer 5 · 2023-05-17T07:43:43.000Z

Vulnerability is still in there.
Is there going to be a fix soon?

Answer 6 · 2023-07-16T09:45:09.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.