latest version of "rc" contains older version of its dependent
sarita-kumari-dev opened this issue · 1 comments
sarita-kumari-dev commented
In yarn.lock file of my application I have "rc" : "1.2.8", but the issue is it has a dependent package "strip-json-comments" which takes very old version of itself.
its latest one is "3.1.0" and it is taking "2.0.1" which leads to security defect in application.
Below is the dependency tree of yarn.lock -
rc@^1.0.1, rc@^1.1.2, rc@^1.1.6, rc@^1.2.8:
version "1.2.8"
resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed"
integrity sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==
dependencies:
deep-extend "^0.6.0"
ini "~1.3.0"
minimist "^1.2.0"
strip-json-comments "~2.0.1"
goatandsheep commented