s100 · 2020-06-25T17:07:11Z

It appears that logdna-bunyan does not use eslint at run time, only for linting at development time, so this PR removes that dependency.

This PR is motivated by a prototype pollution vulnerability in lodash, which eslint has a dependency on, and which lodash's maintainers seem not to be acting on. By eliminating eslint as a production dependency, we eliminate the transitive dependency on lodash.

smusali

Thanks for reporting this, @s100! I will update the package and let you know!

smusali · 2020-06-25T20:26:02Z

@s100, we have just released the newest patch version including this change. Thanks again for reporting and fixing this!

s100 · 2020-06-26T08:31:52Z

Thank you for acting promptly!

8B2E

Stop requiring eslint as a production dependency

4fc2026

smusali self-requested a review June 25, 2020 17:07

smusali self-assigned this Jun 25, 2020

smusali added bug Something isn't working enhancement New feature or request labels Jun 25, 2020

smusali approved these changes Jun 25, 2020

View reviewed changes

smusali merged commit 6854142 into logdna:master Jun 25, 2020

smusali mentioned this pull request Jun 25, 2020

deps: bump eslint dependency #16

Merged

s100 deleted the patch-1 branch June 26, 2020 08:31

Provide feedback

Saved searches