You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First, thanks a lot for isomorphic-git: I started using it for a project and it works quite well for me 👍
I just would like to see this plugin finalized/maintained as I would currently need it for signing commits via GPG keys easily in parallel with isomorphic-git. When installing it I noticed 3 vulnerabilities in the package:
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Invalid Curve Attack │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ openpgp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.3.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @isomorphic-git/openpgp-plugin │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @isomorphic-git/openpgp-plugin > openpgp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1159 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Message Signature Bypass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ openpgp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.2.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @isomorphic-git/openpgp-plugin │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @isomorphic-git/openpgp-plugin > openpgp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1160 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Improper Key Verification │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ openpgp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.2.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @isomorphic-git/openpgp-plugin │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @isomorphic-git/openpgp-plugin > openpgp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1161 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 moderate, 2 high) in 127 scanned packages
3 vulnerabilities require manual review. See the full report for details
For now I've just switched to using regular git calls via node spawnSync method for my commit script but it would be awesome if I could streamline everything and just use plain isomorphic-git everywhere.
The text was updated successfully, but these errors were encountered:
Hey there!
First, thanks a lot for
isomorphic-git: I started using it for a project and it works quite well for me 👍I just would like to see this plugin finalized/maintained as I would currently need it for signing commits via GPG keys easily in parallel with
isomorphic-git. When installing it I noticed 3 vulnerabilities in the package:For now I've just switched to using regular
gitcalls via nodespawnSyncmethod for my commit script but it would be awesome if I could streamline everything and just use plainisomorphic-giteverywhere.The text was updated successfully, but these errors were encountered: