Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Diagnostics package creates transient dependency related to CVE-2021-29060
See original GitHub issuePlease tell us about your environment:
winstonversion?-
winston@2 -
winston@3
-
What is the problem?
Winston has a transient dependency on color-string@1.5.4 which has a ReDOS advisory CVE-2021-29060
└─┬ winston@3.3.3
└─┬ @dabh/diagnostics@2.0.2
└─┬ colorspace@1.1.2
└─┬ color@3.0.0
└── color-string@1.5.4
What do you expect to happen instead?
The diagnostics package has not been updated in three years, it may be time to consider an alternate, forking and inlining… etc.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Introducing Transitive Dependencies in Visual Studio
There is now a new dependency section labeled “transitive packages” that you can optionally collapse or expand depending on your daily use.
Read more >Renaming a transitive dependency causes a suggestion to ...
Renaming a transitive dependency causes a suggestion to update dependent app.json , but doing so gives MissingTypeSymbol errors #7108.
Read more >Package dependencies - Dart programming language
A dependency is another package that your package needs in order to work. Dependencies are specified in your pubspec. You list only immediate...
Read more >How can I work with local Swift packages which are transitive ...
I have been doing this by pulling down each package which leads to that dependency and creating a branch from the release tag...
Read more >Solving Transitive Dependency Issues in .NET Core
The odds of having a transitive dependency issue increase as you add more packages to a solution. If you're unlucky, it can also...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@wbt - I think with 3.3.4 released, this issue can be closed.
Tagging @DABH as a possibly easier PR route might be an update to that package.