-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Bump pouchdb version #5188
Bump pouchdb version #5188
Conversation
older version uses a vulnerable version of node-fetch
Thanks for the bump @vdamle! |
Hey @vdamle, your PR is failing the yarncheck job. (It checks that |
Thank you for catching that @haltman-at . I didn't follow up on the build status. I've pushed the yarn lock as well now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, thanks for this! (Now can we get a second reviewer on this? :) )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me ! Thanks for this @vdamle .
Thanks for taking care of this update! |
We should have this week's release out either tomorrow or Friday! |
Hey @wbt, how are you using pouchdb? Is it related to truffle db? |
I don't think I'm actually using it at all, except for the time-wasting dive into the npm audit failures reported from this vulnerability. I'm hoping that simply updating to use a release with this patch will fix that. |
older version uses a vulnerable version of node-fetch
Output of
npm list node-fetch
when usingtruffle:5.5.17
(also checked that the vulnerable version is included in5.5.18
as well:ref: pouchdb/pouchdb#8448