Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Dependabot complaint due to perfectionist dependency

See original GitHub issue

hyperlink (due to assetgraph) is giving me dependabot warnings (CVE-2021-23382) due to hyperlink@5.0.4 requires postcss@^5.0.8 via a transitive dependency on perfectionist@2.4.0

https://github.com/ben-eb/perfectionist was last updated five years ago, and has been archived by the author.

I presume it will be a ‘bit’ of a pain to eliminate this dependency, so I’m wondering if there is an ETA on a version of assetgraph that eliminates the problem? I thought I saw somewhere you had a new major version in the works; am I mistaken (and if not, any ETA?).

I really love your hyperlink package which depends on assetgraph, so I am hoping this is something that is in the works, though that is obviously entirely dependent on your time, energy, interest, etc.

Cheers, and thanks for the great work!

Issue Analytics

State:
Created 2 years ago
Comments:11 (5 by maintainers)

Top GitHub Comments

1reaction

danielfdickinsoncommented, Mar 23, 2022

Dependabot has quit whining! At least for now…

I’ll have to see if your suggestion on my recent commit to my GitHub Action that uses hyperlink (and thus assetgraph) is correct (that it is the use of package-lock.json that is the issue) and if so, if I can change things up so that other people’s tools don’t complain at me about a lack of package-lock.json.

So this issue can be closed, if you wish. Since you get notifications when I @mention you, I will do so in my ‘perfectionist-dfd’ repo as I (hopefully) make progress.

1reaction

papandreoucommented, Mar 22, 2022

Getting rid of babel would be nice, and I don’t mind require/common.js. Assetgraph 7.x has to support node.js 12 anyway, and unflagged ESM didn’t land until 13/14.

Looking forward to hear how you’re doing 👏

BTW have you considered using GitHub Discussions? I’m getting a little off-topic, for which I apologize.

It’s fine, really!

Top Results From Across the Web

Troubleshooting Dependabot errors - GitHub Docs

Sometimes Dependabot is unable to raise a pull request to update your dependencies. You can review the error and unblock Dependabot.

Block Pull Requests if a Vulnerable Dependency is Added

This new Dependency Review action uses the dependency review API endpoint to determine if you are adding a new vulnerable package version to ......

An Exploratory Study on GitHub Dependabot - arXiv

Finally, a non-negligible portion (11.3%) of projects have deprecated. Dependabot due to notification fatigue, lack of desired features, and excessive CI usage.

5 tips for prioritizing Dependabot alerts | The GitHub Blog

Dependabot alerts can give you the ability to secure your project by keeping dependency-based vulnerabilities out of your code.

Automating Dependency Updates in Practice: An Exploratory ...

Section 2 introduces the background and related work about dependency updates, dependency management bots, and Dependabot.