Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
`got` has security vulnerability
See original GitHub issueThe got@9.6.0 package (that has been indirectly referenced in this repository) contains a “Moderate” security vulnerability - see https://github.com/advisories/GHSA-pfrx-2q88-qq97.
The vulnerability has been fixed in a later version i.e. got@11.8.5 (or higher).
Here is the output of the npm why command ran on a repo containing the @lhci/cli@0.9.0 - that shows the dependency tree of how the got package is being imported into this package:
$ npm why got
got@9.6.0
node_modules/got
got@"^9.6.0" from package-json@6.5.0
node_modules/package-json
package-json@"^6.3.0" from latest-version@5.1.0
node_modules/latest-version
latest-version@"^5.0.0" from update-notifier@3.0.1
node_modules/update-notifier
update-notifier@"^3.0.1" from @lhci/cli@0.9.0
node_modules/@lhci/cli
@lhci/cli@"^0.9.0" from the root project
Consider upgrading the update-notifier package to 6.0.2 or the latest version.
Or as per issue https://github.com/GoogleChrome/lighthouse/issues/13453 consider merging PR #756 where the update-notifier package is being removed.
Issue Analytics
- State:
- Created a year ago
- Reactions:4
- Comments:5
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
0.10.0 is now available.
#756 has been merged. Oddly, npm has
@lhci/cli@0.9.0, but the latest in this repo is0.1.0and the last time that line was changed was 3 years ago. I don’t think this repo is where the package is getting published from despite therepositoryURL in thepackage.json.