yarn lock locks down growl@1.9.2 but this version has vulnerabilities

Question

yarn lock locks down growl@1.9.2 but this version has vulnerabilities

clisterdmello opened this issue 4 years ago · 2 comments

growl@1.9.2:
version "1.9.2"
resolved "https://registry.yarnpkg.com/growl/-/growl-1.9.2.tgz#0ea7743715db8d8de2c5ede1775e1b45ac85c02f"

is locked down in yarn.lock version but this version has vulnerabilities.
Is it possible to update it to the version that mocha gets in?

└─┬ mocha@8.1.3
└── growl@1.10.5

There are other libraries as well. I will make a list of it but this seemed little high priority 👍
I can do a PR as well :)

Answer 1 · 2020-09-27T17:55:20.000Z

This package is not used in production, and is only used to compile and/or unit test the code. Therefore, any risk is quite low. But yes, it should be possible to update this package version.

Answer 2 · 2021-01-10T00:46:45.000Z

Now fixed in uri-js@4.4.1.