How big is the difference from 1.6.* to 2.* ?
StoneCypher opened this issue · 3 comments
One of the dependencies of 1.6.* has a security vulnerability that GitHub constantly warns about. It's not in 2.* - it's disparity.
Unfortunately, the fix to diff was incorrectly applied to disparity as a new major, instead of as a minor, meaning its downstreams aren't updating, so the "fix" isn't in place.
Can a user of 1.6.* use 2.*?
Could ... could I talk you into patching and publishing a new 1.6? It's just a version bump, and nyc / ava are throwing security faults on this.
Tree back is diff (patched) ← disparity (patched wrongly) ← concat-stream 1.6
Disparity 2 should have been patched as a 2.* but instead got patched as a 3.*, meaning your package, which should pick it up, doesn't
Even though it's not your fault or problem, a new concat-stream 1.6 that bumped disparity to 3 could solve this immediately
This also throws for documentation.js
It seems that the only difference was https://github.com/maxogden/concat-stream/commit/a88de2cf17226d5bf35301b59ce532956d26b359.
If I had to guess, the major version was bumped because it increased minimum nodejs version from 0.8 to 6.0