@nestjs/schedule2.1.0 depends on vulnerable versions of luxon

Question

@nestjs/schedule2.1.0 depends on vulnerable versions of luxon

PetrShchukin opened this issue 2 years ago · 3 comments

The @nestjs/schedule package with version 2.1.0 depends on vulnerable versions of luxonluxon 1.0.0 - 1.28.1. Severity: high.

# npm audit report

luxon  1.0.0 - 1.28.1
Severity: high
Luxon Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-3xq5-wjfh-ppjc
fix available via `npm audit fix --force`
Will install cron@1.8.2, which is a breaking change
node_modules/luxon
  cron  >=1.8.3
  Depends on vulnerable versions of luxon
  node_modules/@nestjs/schedule/node_modules/cron
  node_modules/cron
    @nestjs/schedule  >=2.0.1
    Depends on vulnerable versions of cron
    node_modules/@nestjs/schedule

3 high severity vulnerabilities

Answer 1 · 2023-01-10T17:09:53.000Z

cron v2.2.0 uses the last version of luxon now: kelektiv/node-cron#646

Answer 2 · 2023-01-10T17:25:31.000Z

so it's just a matter of merging #983

Answer 3 · 2023-01-11T07:45:06.000Z

let's track this here #983