-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High vulnerability in dicer used by @expo/multipart-body-parser #20225
Comments
We resolve npm warnings whenever we can, and usually this means upgrading or switching dependencies, but we don't always have control over this. Sometimes a package has moved to a new name and made breaking changes at the same time, for example dropping support for a specific Node version that we support in eas-cli. Usually the warnings you see are from distant downstream dependencies, eg: eas-cli depends on package Basically every non-trivial package in the Node ecosystem will come with messages like this on install due to the unfortunate way that unactionable warnings are exposed to users. Some tools use We update dependencies whenever it makes sense to, and we do that frequently. These warnings will not interfere with your usage of eas-cli :) Read more: https://overreacted.io/npm-audit-broken-by-design/ |
It looks like this particular dependency is actionable for us in this case, although it's low priority because there is no way for anyone to actually exploit this vulnerability given usage of the library. |
Thank you for filing this issue! |
@brentvatne thanks for the analysis and the explanation! |
Summary
npm|yarn audit
report that there is a High vulnerability present in the version ofdicer
used by@expo/multipart-body-parser
. This package is a dependency of the EAS CLI package, but I presume that@expo/multipart-body-parser
is part of the Expo SDK not the EAS CLI, hence the bug report here.What platform(s) does this occur on?
Not Applicable
Environment
Minimal reproducible example
Install EAS CLI
followed by an audit
The text was updated successfully, but these errors were encountered: