Downstream CVEs due to introduction of prettier-plugin-x about plugins HOT 8 CLOSED

Excellent point! Both Prettier X and TypeScript are dev dependencies and not required for actually running the plug-ins. Updated in 4168185.

from plugins.

@AllanJard Sorry to bother, but any plans to release this fix on NPM anytime soon?

from plugins.

Big thanks @AllanJard! I pulled from master and it works like a charm 👍

# package.json
"datatables.net-plugins": "git+https://github.com/DataTables/Plugins",

af0ceac800bd:/app [development] $ yarn audit
yarn audit v1.22.19
0 vulnerabilities found - Packages audited: 336
Done in 1.41s.

from plugins.

This is thus far the only change in DataTables and the plug-ins since 1.13.4 was released. As far as I am aware, there isn't a way to do a sub-patch release on npm, and since the plug-ins version is matched to the DataTables one, I'm reluctant to make this release until something functional in the code has changed. I don't expect it will be too long - a week or so perhaps.

from plugins.

Thanks for your quick response.

So I will edit my package-lock.json to prevent npm from installing the vulnerable packages.

Thank you very much.

from plugins.

@maurojs10 I went with this approach (if it helps) I put the following in my package.json which pins to this fix:

"datatables.net-plugins": "git+https://github.com/DataTables/Plugins.git#41681850e2f870187cab1b106ce02eb8ceb83d6d",

Thanks again @AllanJard!

from plugins.

@krsyoung Thanks for that tip.

from plugins.

I don't expect it will be too long - a week or so perhaps.

@AllanJard ok

from plugins.