Dependency vulnerability

[develyan]

Hi,

[email protected] has a dependency to:

• @75ls/[email protected].

Is it possible to have that dependency upgraded to fix a package vulnerability ?

[amoeba]

Hi @develyan, thanks for the report. This looks like it has been resolved upstream and is no longer an issue, see that newer versions of command-line-usage and its dependents are brought in:

❯ npm ls --all
[email protected] /work/test-package
└─┬ [email protected]
  ├─┬ @swc/[email protected]
  │ └── [email protected] deduped
  ├── @types/[email protected]
  ├── @types/[email protected]
  ├─┬ @types/[email protected]
  │ └── [email protected]
  ├─┬ [email protected]
  │ ├── UNMET OPTIONAL DEPENDENCY @75lb/nature@latest
  │ ├── [email protected]
  │ ├─┬ [email protected]
  │ │ └── UNMET OPTIONAL DEPENDENCY @75lb/nature@latest
  │ ├── [email protected]
  │ └── [email protected]
  ├─┬ [email protected]
  │ ├── [email protected] deduped
  │ ├─┬ [email protected]
  │ │ └─┬ [email protected]
  │ │   ├─┬ [email protected]
  │ │   │ └─┬ [email protected]
  │ │   │   └── [email protected]
  │ │   └─┬ [email protected]
  │ │     └── [email protected]
  │ ├─┬ [email protected]
  │ │ ├── [email protected] deduped
  │ │ └── [email protected]
  │ └── [email protected] deduped
  ├── [email protected]
  ├── [email protected]
  └── [email protected]

A few other notes:

• If you do have a provably exploitable software vulnerability to disclose, in the future you can follow the ASF reporting process for private disclosure at https://www.apache.org/security/
• This vulnerability was only in a command line interface which makes it much less of a problem
• The Arrow JavaScript implementation has moved to https://github.com/apache/arrow-js and you can file issues or discussions there in the future

I'm going to close this discussion but please feel free to let me know if you think I've missed something here.