You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I realise that with v4 now being released the 3.x series is no longer the latest, however a number of users are still stuck on the 3.x series due to the Node version requirement. (For my use-case the chain is: cspell 6.x -> configstore 5.x -> make-dir 3.x; each package along the chain has its own reasons for not picking up a major version bump of the dependent package; streetsidesoftware/cspell#4594, yeoman/configstore#89).
As far as I can tell the 6.x to 7.x version bump of semver isn't breaking to the usages in make-dir, so I'm expecting that cherry-picking 777eed3 then releasing a 3.x would suffice. Would you be up for doing that? (I'd be happy to create a PR if that's useful, though given the size of the change I'm assuming it's not particularly so)
The text was updated successfully, but these errors were encountered:
The semver vulnerability does not apply to make-dir as it does not use semver with untrusted user-input. I understand you want the vulnerability gone from npm audit, but I don't want to waste all my maintainer time on bumping dependencies for "vulnerabilities" that in reality affect no one.
I realise that with v4 now being released the 3.x series is no longer the latest, however a number of users are still stuck on the 3.x series due to the Node version requirement. (For my use-case the chain is:
cspell
6.x ->configstore
5.x ->make-dir
3.x; each package along the chain has its own reasons for not picking up a major version bump of the dependent package; streetsidesoftware/cspell#4594, yeoman/configstore#89).As far as I can tell the 6.x to 7.x version bump of
semver
isn't breaking to the usages inmake-dir
, so I'm expecting that cherry-picking 777eed3 then releasing a 3.x would suffice. Would you be up for doing that? (I'd be happy to create a PR if that's useful, though given the size of the change I'm assuming it's not particularly so)The text was updated successfully, but these errors were encountered: