Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerability in js-yaml dependency

See original GitHub issue

Tell us about your environment

ESLint Version: 5.16.0 (latest)
Node Version: v11.12.0
npm Version: 6.9.0

npm audit will report this vulnerability

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint > js-yaml                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Issue Analytics

State:
Created 4 years ago
Comments:7 (2 by maintainers)

Top GitHub Comments

2reactions

ScottA38commented, May 15, 2019

I had just left a comment asking what fresh install meant, but I have just realised it was a painfully obvious npm uninstall eslint and then npm install -D eslint. For anyone else though who is not so clued in with npm like me, that worked

1reaction

not-an-aardvarkcommented, Apr 29, 2019

It’s not clear to me that that would be warranted. I’m not sure how your CI setup works, but there’s nothing stopping you from using the latest version of js-yaml with the latest stable release of ESLint. In fact, if you’re doing a fresh install without a lockfile, you should already be getting the patched version of js-yaml.

Top Results From Across the Web

js-yaml - Snyk Vulnerability Database

version published direct vulnerabilities 4.1.0 14 Apr, 2021 0. C. 0. H. 0. M. 0. L 4.0.0 3 Jan, 2021 0. C. 0. H. 0....

Security vulnerability (High Severity) in js-yaml dependency

As an update, npm audit now yields a high severity error (code injection) on the same dependency. For reference, this is on node...

15393 (Dependency (js-yaml) Security Vulnerability) - jQuery UI

jscs is no longer supported and development team has moved over to help with the ESLint project. Consumption of a security patch is...

Fixing security vulnerabilities in npm dependencies in less ...

So a better solution here would be to only delete the lines corresponding to the vulnerable package in your package-lock.json(or yarn.lock) file. Run...

js-yaml | npm | Open Source Insights

JavaScript YAML parser and dumper. Very fast. call_split 766 forks. star 6k stars. OpenSSF scorecard. The Open Source Security Foundation is a cross ......