-
Notifications
You must be signed in to change notification settings - Fork 4.7k
Description
Bug report
Vuepress is using a version of eslint that has been compromised. "eslint": "4.19.1"
requires "eslint-scope": "^3.7.1",
and the versions with issues are 3.7.2, 3.7.3
.
TLDR; eslint-scope: 3.7.2, 3.7.3
This version contained apparently malicious code that attempted to steal npm login tokens
Version
0.12.0
Steps to reproduce
As reported, a way to fix it is to pin the version to eslint-scope: 3.7.1
but since eslint: 4.19.1
doesn't have it pinned in that version that isn't achievable.
You can view the actual bug report eslint/eslint-scope#39.
What is expected?
An update to a version of eslint where they updated eslint-scope
which is https://github.com/eslint/eslint/releases/tag/v5.0.0
What is actually happening?
Using Vuepress on Gitlab and having an exclude pattern on a privately hosted Gitlab causes npm to fail to install packages.
Other relevant information
- Your OS: OSX 10.12.6
- Node.js version: v8.10.0
- Browser version: N/A
- Is this a global or local install? Both
- Which package manager did you use for the install? NPM