Summary
@splitsoftware/splitio-react@2.6.1 depends on @splitsoftware/splitio@11.9.0, which uses js-yaml@^3.13.1. This version of js-yaml has a known moderate severity vulnerability:
- GHSA-h67p-54hq-rp68 — JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
The fix is available in js-yaml@4.2.0. The core @splitsoftware/splitio package has already upgraded to js-yaml@^4.1.1 in v11.10.0+, but splitio-react still pins splitio@11.9.0.
Request
Please release a new version of @splitsoftware/splitio-react that depends on @splitsoftware/splitio@>=11.10.0 to resolve this transitive vulnerability for downstream consumers.
Versions
@splitsoftware/splitio-react: 2.6.1@splitsoftware/splitio: 11.9.0 (pinned by splitio-react)js-yaml: 3.14.2 (vulnerable)@splitsoftware/splitio latest: 11.11.1 (uses js-yaml@^4.1.1, fixed)
Summary
@splitsoftware/splitio-react@2.6.1depends on@splitsoftware/splitio@11.9.0, which usesjs-yaml@^3.13.1. This version of js-yaml has a known moderate severity vulnerability:The fix is available in
js-yaml@4.2.0. The core@splitsoftware/splitiopackage has already upgraded tojs-yaml@^4.1.1in v11.10.0+, butsplitio-reactstill pinssplitio@11.9.0.Request
Please release a new version of
@splitsoftware/splitio-reactthat depends on@splitsoftware/splitio@>=11.10.0to resolve this transitive vulnerability for downstream consumers.Versions
@splitsoftware/splitio-react: 2.6.1@splitsoftware/splitio: 11.9.0 (pinned by splitio-react)js-yaml: 3.14.2 (vulnerable)@splitsoftware/splitiolatest: 11.11.1 (usesjs-yaml@^4.1.1, fixed)