Dependencies security upgrade #266
Description
Describe the bug
Seen via GH security alert:
tmp allows arbitrary temporary file / directory write via symbolic link dir parameter
Dependabot cannot update tmp to a non-vulnerable version
The latest possible version that can be installed is 0.0.33 because of the following conflicting dependencies:
[email protected] requires [email protected] via a transitive dependency on [email protected]
No patched version available for tmp
The earliest fixed version is 0.2.4.
To Reproduce
Run a GH security check
Expected behavior
No security report
Environment:
- OS and version: Debian 13
- Node.js version: 18.x
- broken-link-checker version: 0.7.8
Note
Seems that the dependency that causes the issue is useragent which has not been updated since 6 years and is likely to be considered as unmaintained... A replacement such as ua-parser-js may fix the issue which is maintained.