Description
@nx/js pulls in [email protected] as a transitive dependency through the chain:
[email protected] has a known vulnerability (see GHSA-48c2-rrv3-qjmp — stack overflow via deeply nested YAML collections). The fix is available in [email protected].
Steps to Reproduce
- Create a project using
@nx/[email protected]
- Run
npm audit
- Observe
[email protected] flagged as vulnerable via the babel-plugin-macros → cosmiconfig chain
Expected Behavior
@nx/js should depend on (or pin) versions of transitive dependencies that do not have known vulnerabilities. Updating cosmiconfig or adding an override for yaml >=1.10.3 in @nx/js would resolve this.
Current Workaround
Consumers can override the resolution in their own package-lock.json to force [email protected].
Environment
- Nx version: 22.6.1
- Node version: v22
- Package manager: npm
Description
@nx/jspulls in[email protected]as a transitive dependency through the chain:[email protected]has a known vulnerability (see GHSA-48c2-rrv3-qjmp — stack overflow via deeply nested YAML collections). The fix is available in[email protected].Steps to Reproduce
@nx/[email protected]npm audit[email protected]flagged as vulnerable via thebabel-plugin-macros → cosmiconfigchainExpected Behavior
@nx/jsshould depend on (or pin) versions of transitive dependencies that do not have known vulnerabilities. Updatingcosmiconfigor adding an override foryaml >=1.10.3in@nx/jswould resolve this.Current Workaround
Consumers can override the resolution in their own
package-lock.jsonto force[email protected].Environment