Please update acorn to 6.4.1, or 7.1.1 to resolve vulnerability in acorn

[IdanAdar]

See advisory from npm: https://www.npmjs.com/advisories/1488

@nmccready

[Rafalsky]

This is fixed on master branch.

Commit: 8a22ecc

Just need to be tagged.

[Ionaru]

That commit was over a year ago, what's the reason no new version has been tagged since then?

[nmccready]

That commit was over a year ago, what the reason no new version has been tagged since then?

Looks like there was no release as this was primarily linting changes.

Also this is neither mine or @phated 's full time job. If you guys see issues please make PR's.

Even with @phated 's changes it appears acorn is still under 7.1.1 and needs to be fixed in @gulp-sourcemaps/identity

❯ yarn why acorn
yarn why v1.21.1
[1/4] 🤔  Why do we have the module "acorn"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "acorn@5.7.3"
info Has been hoisted to "acorn"
info Reasons this module exists
   - Specified in "dependencies"
   - Hoisted from "@gulp-sourcemaps#identity-map#acorn"
   - Hoisted from "eslint#espree#acorn"
info Disk size without dependencies: "588KB"
info Disk size with unique dependencies: "588KB"
info Disk size with transitive dependencies: "588KB"
info Number of shared dependencies: 0
=> Found "acorn-jsx#acorn@3.3.0"
info This module exists because "eslint#espree#acorn-jsx" depends on it.
info Disk size without dependencies: "676KB"
info Disk size with unique dependencies: "676KB"
info Disk size with transitive dependencies: "676KB"
info Number of shared dependencies: 0
✨  Done in 0.38s.

~/code/thirdparties/gulp-sourcemaps master
❯ yarn info acorn version
yarn info v1.21.1
6.4.1

[Ionaru]

@nmccready gulp-sourcemaps/identity-map#9

[Ionaru]

This module has acorn in its dependencies as well: https://github.com/gulp-sourcemaps/gulp-sourcemaps/blob/master/package.json#L26

[nmccready]

As you can see this is going to be more difficult than just bumping.

https://travis-ci.org/gulp-sourcemaps/identity-map/jobs/660134323?utm_medium=notification&utm_source=github_status

6.X branch of acorn still has not resolved the issues. gulp-sourcemaps is trying to support node 6.X - 10.X.

To get things working correctly acorn is going to need to patch 6.X .

@phated , should we drop acorn or drop 6.X support for node ?

[nmccready]

We'll be targeting 6.4.1 as it should work with Node 6.

[nmccready]

NodeJS 6 is not maintained anymore, or am I wrong?

That's not my battle but gulp-sourcemaps has always supported many older versions of node. It is only within the year where we cut out 4, 0.12, and 0.10 .

ask @phated

[nmccready]

#376

[phated]

ask @phated

If you leave users stranded on old versions of your software because you can't be bothered to support a few older versions of the runtime, then you are a bad maintainer.

[IdanAdar]

@nmccready Please let us know once the new build reaches npm so we can pull it proper.

[gian1200]

It seems to be "fixable" now buy running npm audit fix 🤷‍♂

[limitedmage]

The PR was merged but no release has been published to NPM yet?

[valadas]

I am in the same situation but npm audit fix did not resolve it.