downstream mpath dependency vulnerability
delfuego opened this issue · 2 comments
delfuego commented
GitHub's dependabot has started issuing warnings for projects that have a downstream dependency on versions of mpath <0.8.4 (due to CVE-2021-23438), which affects anything that depends on connect-mongodb-session at the moment — archetype 0.12.0, the latest version, depends on mpath 0.5.1.
I've flagged this over in archetype's issues, so if/when an update is made to archetype's dependencies, if the archetype version number is incremented to 0.13.x or higher, an update would be needed here as well.
Nafidinara commented
I see same issues
vkarpov15 commented
Fixed and released in v3.1.1