Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

Commit

Permalink
Upgrade request package to v.2.88
Browse files Browse the repository at this point in the history 
The package `extend 3.0.1`, which is a dependency of `request 2.87` has a vulnerability :
https://hackerone.com/reports/381185

Upgrade `request` to v.2.88 will install `extend` v.3.0.2, the fixed version.

Fix #2496
  • Loading branch information
@xzyfer
Yoann Colin authored and xzyfer committed Sep 17, 2018
1 parent cdf24f2 commit 746759c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@
"nan": "^2.10.0",
"node-gyp": "^3.8.0",
"npmlog": "^4.0.0",
"request": "2.87.0",
"request": "^2.88.0",

This comment has been minimized.

Sign in to view

Copy link
@gaz77a

gaz77a Apr 23, 2019

This is very hard to debug because the version of request uses the caret in package.json.
As you can see in this comment, we are using node-sass@3.13.1 and getting version 2.88.0 of request.
request v2.88.1 is a breaking change for IE11 due to the use of arrow functions in an inner dependency (punycode).

See also this link why request did not have a caret before in this project:
ef713a7#r29609328

ping @Gwerlas @xzyfer

This comment has been minimized.

Sign in to view

Copy link
@xzyfer

xzyfer Apr 23, 2019

Contributor

The issues described in the link issues are out of scope for node-sass. Someone is just as likely to complain that we're coupling ourselves to an older version of request. If your project has a special requirement on a specific version of a library it should be reflected in that project's package.json. npm will take this into account when resolving the ^ by installing a version that meets all the requirements.
"sass-graph": "^2.2.4",
"stdout-stream": "^1.4.0",
"true-case-path": "^1.0.2"
Expand Down

0 comments on commit 746759c

Please sign in to comment.