yarn lock locks down growl@1.9.2 but this version has vulnerabilities
clisterdmello opened this issue · 2 comments
clisterdmello commented
growl@1.9.2:
version "1.9.2"
resolved "https://registry.yarnpkg.com/growl/-/growl-1.9.2.tgz#0ea7743715db8d8de2c5ede1775e1b45ac85c02f"
is locked down in yarn.lock version but this version has vulnerabilities.
Is it possible to update it to the version that mocha gets in?
└─┬ mocha@8.1.3
└── growl@1.10.5
There are other libraries as well. I will make a list of it but this seemed little high priority 👍
I can do a PR as well :)
garycourt commented
This package is not used in production, and is only used to compile and/or unit test the code. Therefore, any risk is quite low. But yes, it should be possible to update this package version.
garycourt commented
Now fixed in uri-js@4.4.1
.