fix: use @snyk/update-notifier instead of update-notifier

Using a forked version of update-notifier to fix a prototype pollution in its dependency dot-prop present in versions < 5.1.0
snyk · Jan 31, 2020 · b74bbe2 · b74bbe2
1 parent 93845d9
commit b74bbe2
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -59,6 +59,7 @@
     "@snyk/dep-graph": "1.13.1",
     "@snyk/gemfile": "1.2.0",
     "@snyk/snyk-cocoapods-plugin": "2.0.1",
+    "@snyk/update-notifier": "^2.5.1-rc1",
     "@types/agent-base": "^4.2.0",
     "@types/restify": "^4.3.6",
     "abbrev": "^1.1.1",
@@ -97,7 +98,6 @@
     "strip-ansi": "^5.2.0",
     "tempfile": "^2.0.0",
     "then-fs": "^2.0.0",
-    "update-notifier": "^2.5.0",
     "uuid": "^3.3.2",
     "wrap-ansi": "^5.1.0"
   },

diff --git a/src/lib/updater.ts b/src/lib/updater.ts
@@ -1,4 +1,4 @@
-import * as updateNotifier from 'update-notifier';
+import * as updateNotifier from '@snyk/update-notifier';
 import * as fs from 'fs';
 import * as p from 'path';
 

diff --git a/test/updater.test.js b/test/updater.test.js
@@ -4,7 +4,7 @@ const updateCheck = require('../src/lib/updater').updateCheck;
 const fs = require('fs');
 const p = require('path');
 const sinon = require('sinon').createSandbox();
-const updateNotifier = require('update-notifier');
+const updateNotifier = require('@snyk/update-notifier');
 
 // Fake location of the package.json file and verify the code behaves well
 test('missing package.json', (t) => {