In yarn.lock file of my application I have "rc" : "1.2.8", but the issue is it has a dependent package "strip-json-comments" which takes very old version of itself.
its latest one is "3.1.0" and it is taking "2.0.1" which leads to security defect in application.
Below is the dependency tree of yarn.lock -
rc@^1.0.1, rc@^1.1.2, rc@^1.1.6, rc@^1.2.8:
version "1.2.8"
resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed"
integrity sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==
dependencies:
deep-extend "^0.6.0"
ini "~1.3.0"
minimist "^1.2.0"
strip-json-comments "~2.0.1"
In yarn.lock file of my application I have "rc" : "1.2.8", but the issue is it has a dependent package "strip-json-comments" which takes very old version of itself.
its latest one is "3.1.0" and it is taking "2.0.1" which leads to security defect in application.
Below is the dependency tree of yarn.lock -
rc@^1.0.1, rc@^1.1.2, rc@^1.1.6, rc@^1.2.8:
version "1.2.8"
resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed"
integrity sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==
dependencies:
deep-extend "^0.6.0"
ini "~1.3.0"
minimist "^1.2.0"
strip-json-comments "~2.0.1"