Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Lerna uses version of dot-prop@4.2.0 which does not include recent security fix

See original GitHub issue

Expected Behavior

Lerna has some packages that depend on the outdated version of the dot-prop package which does not include recent security fix.

For example:

lerna > @lerna/run > @lerna/command > @lerna/project > dot-prop
lerna > @lerna/run > @lerna/version > @lerna/project > dot-prop
lerna > @lerna/run > @lerna/publish > @lerna/project > dot-prop
...

Result of the npm ls dot-prop:

└─┬ lerna@3.22.1
  ├─┬ @lerna/add@3.21.0
  │ └─┬ @lerna/command@3.21.0
  │   └─┬ @lerna/project@3.21.0
  │     └── dot-prop@4.2.0

More info about vulnerabilities introduced here: https://npmjs.com/advisories/1213

Current Behavior

After running npm audit, results include vulnerabilities related to the outdated dot-prop package which is a dependency of Lerna.

Possible Solution

Update dot-prop package to at least >=5.1.1 - or the latest.

Steps to Reproduce (for bugs)

  1. Run npm audit in the project root where lerna is installed.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:29
  • Comments:8

github_iconTop GitHub Comments

5reactions
roboswankcommented, Aug 21, 2020

As best I can tell, since dot-props does not have a CHANGELOG, there appear to be no breaking changes between v4 and v5. So, until this gets worked out you can just add this to your project’s package.json and the audit succeeds:

  "resolutions": {
    "dot-prop": "5.2.0"
  }

edit: the release section says as much - aside from the node version - no breaking changes. edit: see comment below about npm specific npm-force-resolutions to use this (if not using yarn)

1reaction
jimmyandradecommented, Aug 21, 2020

Yes, I am using npm. Thank you for complementing your comment and sharing the resolution for npm. I’ll try and check if it works.

Read more comments on GitHub >

github_iconTop Results From Across the Web

No results found

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

lerna run produces "stdout maxBuffer exceeded"

Next page

Private packages install with git url