Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[eslint config] [base] remove unneeded eslint version check #2503

Merged
merged 1 commit into from
Nov 13, 2021

Conversation

PaperStrike
Copy link
Contributor

As eslint < 7 is dropped in #2495 :)

Copy link
Collaborator

@ljharb ljharb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, the breaking change was unfortunate.

@ljharb ljharb merged commit d8cb404 into airbnb:master Nov 13, 2021
@n-studio
Copy link

We should release this change as 15.0.1 to solve GHSA-c2qf-rxjj-qqgw

@ljharb
Copy link
Collaborator

ljharb commented Jun 23, 2023

That isn’t actually a vulnerability here, and we’re on v19 - we won’t be backporting anything to v15.

@n-studio
Copy link

@ljharb Sorry I was referring to the package https://www.npmjs.com/package/eslint-config-airbnb-base, not https://www.npmjs.com/package/eslint-config-airbnb, it hasn't a v19 release, right?

@ljharb
Copy link
Collaborator

ljharb commented Jun 23, 2023

aha, yes, you're correct :-) whenever the next version goes out of the base package, this will indeed be included. however, this isn't a real vulnerability, because we're passing a hardcoded string into semver.satisfies, AND because we're not using new Range. This (like almost every JS CVE) is a false positive.

@n-studio
Copy link

@ljharb Ok, no problem. I like fixing CVE alerts even if they are false positive so the CI doesn't block my releases. In the meanwhile I'll just load my package from master.

@ljharb
Copy link
Collaborator

ljharb commented Jun 23, 2023

I strongly discourage doing that; there's no guarantee everything will work.

If your CI is blocking releases on false positive CVEs, i'd invite you to consider that it's not actually making your project more secure, but less.

@n-studio
Copy link

@ljharb Agree to disagree :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants