You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are some dependabot reported security issues that may or may not be reported by npm audit.
Dependebot doesn't always report the security issues but when cross-references other projects, such as SAGE, one can find the issues. Cross-reference the issues.
Review these and see if it is possible to safely update these.
These may require using overrides.
If that is the case be sure to perform extra checks for regressions.
Such cases would be, for example, minimatch where some dependencies need a 5.x version of minimatch but the overrides is set to ^3.0.0.
Cursory invetigation on patterns like "minimatch": ">=3.1.2", or "minimatch": "^3.1.2 || >=3.1.2", result in always using a 5.x version and patterns like "minimatch": "^3.1.2", result in always using a 3.x version.
When there are dependencies requiring different versions there does not seem to be a way to allow a 3.1.2 to match for 3.x version and a 5.1.1 to match for a 5.x version.
The text was updated successfully, but these errors were encountered:
There are some dependabot reported security issues that may or may not be reported by
npm audit
.Dependebot doesn't always report the security issues but when cross-references other projects, such as SAGE, one can find the issues. Cross-reference the issues.
Review these and see if it is possible to safely update these.
These may require using
overrides
.If that is the case be sure to perform extra checks for regressions.
Such cases would be, for example,
minimatch
where some dependencies need a5.x
version ofminimatch
but the overrides is set to^3.0.0
.Cursory invetigation on patterns like
"minimatch": ">=3.1.2",
or"minimatch": "^3.1.2 || >=3.1.2",
result in always using a 5.x version and patterns like"minimatch": "^3.1.2",
result in always using a 3.x version.When there are dependencies requiring different versions there does not seem to be a way to allow a 3.1.2 to match for 3.x version and a 5.1.1 to match for a 5.x version.
The text was updated successfully, but these errors were encountered: