Upgrade update-notifier version for fixing CVE-2022-33987

[holblin]

Hi,

I have multiple packages that use gts. Due to a CVE, gts is impacted in his last version:

• https://nvd.nist.gov/vuln/detail/CVE-2022-33987
• GHSA-pfrx-2q88-qq97

Updating update-notifier to the latest version and releasing a new version of gts, will solve the issue.

Indeed, currently, this is the chain of versions from gts:
update-notifier (^5.0.0) > latest-version (^5.1.0) > package-json (^6.3.0) > got (^9.6.0)
And this will be the new chain of versions after the change:
update-notifier (6.0.2) > latest-version (^7.0.0) > package-json (^8.1.0) > got (^12.1.0)

[JustinBeckwith]

I love how this upgrade to update-notifier requires node 14 and a transition to ESM. Awesome.

[holblin]

Hi @bcoe , I disagree with the completion of this issue.
There was no new release of GTS following the fix, which keep all the consumers impacted.

Could we re-open the issue until we got a new version published in NPM?

Ref: https://www.npmjs.com/package/gts

[bcoe]

@holblin 4.0.0 is released to the dist-tag next:

npm i gts@next

However it seems to have some issues:

Error: Cannot read config file: /Users/bencoe/google/nodejs-vision/samples/.eslintrc.yml
Error: Function yaml.safeLoad is removed in js-yaml 4. Use yaml.load instead, which is now safe by default.
    at Object.safeLoad (/Users/bencoe/google/nodejs-vision/node_modules/@eslint/eslintrc/node_modules/js-yaml/index.js:10:11)
    at loadYAMLConfigFile (/Users/bencoe/google/nodejs-vision/node_modules/@eslint/eslintrc/lib/config-array-factory.js:161:21)
    at loadConfigFile (/Users/bencoe/google/nodejs-vision/node_modules/@eslint/eslintrc/lib/config-array-factory.js:319:20)

[bcoe]

@holblin I believe the issue I was running into was a stale package-lock.json issue, could you try 4.0.0 and let me know if it works for you?

[holblin]

It works 👍
Thanks a lot :-)