chore(deps): update vite-plugin-node-polyfills#491
Conversation
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
| /domain-browser@4.23.0: | ||
| resolution: {integrity: sha512-ArzcM/II1wCCujdCNyQjXrAFwS4mrLh4C7DZWlaI8mdh7h3BfKdNd3bKXITfl2PT9FtfQqaGvhi1vPRQPimjGA==} |
There was a problem hiding this comment.
Legal Risk:
domain-browser 4.23.0 was released under the Artistic-2.0 license, a license currently prohibited by your organization. Merging is blocked until this is resolved
Recommendation:
Reach out to your security team or Semgrep admin to address this issue. In special cases, exceptions may be made for dependencies with violating licenses, however, the general recommendation is to avoid using a dependency under such a license
| /domain-browser@4.23.0: | ||
| resolution: {integrity: sha512-ArzcM/II1wCCujdCNyQjXrAFwS4mrLh4C7DZWlaI8mdh7h3BfKdNd3bKXITfl2PT9FtfQqaGvhi1vPRQPimjGA==} |
There was a problem hiding this comment.
Legal Risk:
domain-browser 4.23.0 was released under the Artistic-2.0 license, a license currently prohibited by your organization. Merging is blocked until this is resolved
Recommendation:
Reach out to your security team or Semgrep admin to address this issue. In special cases, exceptions may be made for dependencies with violating licenses, however, the general recommendation is to avoid using a dependency under such a license
|
Tests failing due to davidmyersdev/vite-plugin-node-polyfills#81 |
do we want to wait to merge this change then? so we don't have a bunch of false positive failing tests? the change itself lgtm |
No, I'll wait until they release a fix. |
2 participants
This updates vite-plugin-node-polyfills to keep up with fixes. Also addresses a vulnerability found via SemGrep in browserify-sign which is a transitive dependency. This was solved by bumping the minor versions of many transitive deps in pnpm-lock.yaml.