[QUESTION] Possible to fix vulnerability issue related to dot-prop?

[ziale]

What / Why

Anchore is reporting a vulnerability issue that is related to an old(<5.1.1) version of the dot-prop package.

I tried to trace the versions:
update-notifier depends on configstore which depends on dot-prop.

update-notifier@4.1.0 uses configstore@5.0.1 which uses dot-prop@5.2.0 where the issue has been fixed.

Is it possible to fix this?

[ljharb]

You'd have to file that on configstore's repo, and then on update-notifier's repo.

[ziale]

You'd have to file that on configstore's repo, and then on update-notifier's repo.

This repo is using update-notifier 2.5.0, and 4.1.0 would fix the issues. The other repos mentioned already using the fixed versions.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.