You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I’m currently using @nx/jest@20.4.1 in our project, and I’ve discovered it includes a transitive dependency on the inflight package.
The inflight package has been deprecated and is known to have a memory leak. It also has not been maintained for a long time.
Our security scanning (e.g., Black Duck or other tools) flagged this as a vulnerability that could cause a Denial of Service (DoS) under certain conditions. Steps to Reproduce:
Install @nx/jest@20.4.1.
Run npm ls inflight (or yarn why inflight) and observe inflight is pulled in.
Impact:
Projects using @nx/jest@20.4.1 end up shipping a known vulnerable package in production or test environments.
Request:
Please remove or replace the dependency on inflight by upgrading the modules that pull it in or switching to a more maintained package.
If this is indirectly introduced by another library, a version bump or other mitigation strategy would be much appreciated.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I’m currently using @nx/jest@20.4.1 in our project, and I’ve discovered it includes a transitive dependency on the inflight package.
The inflight package has been deprecated and is known to have a memory leak. It also has not been maintained for a long time.
Our security scanning (e.g., Black Duck or other tools) flagged this as a vulnerability that could cause a Denial of Service (DoS) under certain conditions.
Steps to Reproduce:
Install @nx/jest@20.4.1.
Run npm ls inflight (or yarn why inflight) and observe inflight is pulled in.
Impact:
Projects using @nx/jest@20.4.1 end up shipping a known vulnerable package in production or test environments.
Request:
Please remove or replace the dependency on inflight by upgrading the modules that pull it in or switching to a more maintained package.
If this is indirectly introduced by another library, a version bump or other mitigation strategy would be much appreciated.
Beta Was this translation helpful? Give feedback.
All reactions