Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update pug from 2.0.0-beta11 to 2.0.3 to fix vulnerability #230

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

alevis
Copy link

@alevis alevis commented May 29, 2019

No description provided.

Copy link

@codingthat codingthat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure which vulnerability this bump fixes, but bumping to 2.0.4 definitely fixes a vulnerability with subdependency clean-css affecting its versions before 4.1.11.

@dougwilson dougwilson self-assigned this May 1, 2020
@alevis
Copy link
Author

alevis commented May 1, 2020

@codingthat thanks for the reply!

@alevis alevis closed this May 1, 2020
@alevis alevis reopened this May 1, 2020
@dougwilson
Copy link
Contributor

I was about to ask why closed, but see you reopened. I guess just pressed the wrong button as they are right next to each other 🤣

@codingthat
Copy link

It's failing on only the oldest Node.js versions. Does generator itself need to support those? (I mean...I can't imagine doing a greenfield project on an unsupported version.)

@codingthat
Copy link

I've seen some projects cap their dependencies in cases like this. If that seems sensible, it could just be a matter of saying, "Want to use generator with Node.js 0.10? You need to go back to the last known release that worked with it, express-generator X.Y.Z)" in the readme, and then pruning the CI requirements a bit.

@mraible
Copy link

mraible commented May 20, 2020

+1 for fixing this. In the meantime, npm audit fix is a workaround.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants