Resolve four active dependency vulnerabilities #424
Assignees
Labels
Comments
jessex
added
dependencies
This was referenced May 13, 2021
|
The postcss issue seems unlikely to be patched, but there is no actual production vulnerability since it's only used for build tooling. It should be safe to dismiss. PR for lodash forthcoming to close this issue. |
|
It does look like we're unlikely to see a very near-term patch from either postcss or CRA. Agreed with your assessment, though, @macfarlandian, that this can be dismissed! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What needs to be done? Why does it need to be done?
There are four fresh, active dependency vulnerabilities for this repo: postcss, lodash, hosted-git-info, and url-parse. Two of these are high severity vulnerabilities and have been active for 3 days, so should be resolved this week. Fortunately, dependabot generated fixes for two of these already which are awaiting code review and merge.
Additional context
Vulnerabilities listed here
The text was updated successfully, but these errors were encountered: