Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

@babel/core: Upgrade json5 to 2.1.2

See original GitHub issue

In @babel/core 7.8.7, the current version of json5 (2.1.1) depends on a version of minimist that contains the security vulnerability CVE-2020-7598. Can we update json5 to 2.1.2 to resolve this?

Issue Analytics

State:
Created 4 years ago
Reactions:4
Comments:13 (8 by maintainers)

Top GitHub Comments

5reactions

paulmillrcommented, Mar 19, 2020

pushed fsevents 1.2.12

1reaction

nicolo-ribaudocommented, Mar 18, 2020

@adamu

@babel/cli > chokidar > fsevents > node-pre-gyp > rc > minimist

There is a problem here: we can’t upgrade to chokidar v3 in Babel 7 because it contains breaking changes that would be reflected to our users.

@babel/cli has an optional dependency on chokidar@^2.1.8.
chokidar@2.1.8 has an optional dependency on fsevents@^1.2.7
fsevents@1.2.11 bundles all its dependencies, including minimist@0.0.8

There are a few solutions:

With yarn, you could try to force a chokidar@3 upgrade using the resolutions field in package.json. Maybe the breaking change doesn’t affect you.
With npm, you can try using npm-force-resolutions to force a chokidar@3 upgrade. npm audit will still complain, but you won’t actually have the unsecure code.
You can use npm --no-optional to avoid installing chokidar@2 (you might first have to delete your package-json.lock)
You can ask to the fsevents maintainers to release a fsevents@1.2.12 version, which would be automatically picked up by chokidar@2. Even if the last version is 2.1.2, it looks like the v1 release line is still maintained.

Top Results From Across the Web

Babel issue running npm run dev after upgrade to Mix

I have an old Laravel App which I updated to Laravel 5.8. I removed all old resources files, package-lock.json, yarn.lock and gulp files....

Fail to install npm packages if i keep the package-lock.json file ...

i tried to clear the npm cach using npm cach clear --force and remove the node_modules but not solved the problem (it's run...

package-lock.json - plugins/simple-submit-rules - Git at Google

"resolved": "https://registry.npmjs.org/@types/json5/-/json5-0.0.29.tgz", ... "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.5.4.tgz",.

package-lock.json - AWS Code Sample

... "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.18.9.tgz", ... "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", ...

yarn.lock · master · GitLab.com / www-gitlab-com

resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.12.10.tgz#b79a2e1b9f70ed3d84bbfb6d8c4ef825f606bccd" ... json5 "^2.1.2". 34. lodash "^4.17.19".