Skip to content

Update eslint dependency #648

@ethikz

Description

@ethikz

Bug report

Vuepress is using a version of eslint that has been compromised. "eslint": "4.19.1" requires "eslint-scope": "^3.7.1", and the versions with issues are 3.7.2, 3.7.3.

TLDR; eslint-scope: 3.7.2, 3.7.3 This version contained apparently malicious code that attempted to steal npm login tokens

Version

0.12.0

Steps to reproduce

As reported, a way to fix it is to pin the version to eslint-scope: 3.7.1 but since eslint: 4.19.1 doesn't have it pinned in that version that isn't achievable.

You can view the actual bug report eslint/eslint-scope#39.

What is expected?

An update to a version of eslint where they updated eslint-scope which is https://github.com/eslint/eslint/releases/tag/v5.0.0

What is actually happening?

Using Vuepress on Gitlab and having an exclude pattern on a privately hosted Gitlab causes npm to fail to install packages.

Other relevant information

  • Your OS: OSX 10.12.6
  • Node.js version: v8.10.0
  • Browser version: N/A
  • Is this a global or local install? Both
  • Which package manager did you use for the install? NPM

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions