[GitHub] [pulsar-client-node] hrsakai opened a new pull request #166: Upgrade package that has security vulnerabilities

GitBox Mon, 26 Jul 2021 19:48:41 -0700


hrsakai opened a new pull request #166:
URL: https://github.com/apache/pulsar-client-node/pull/166



   Ran `npm audit fix` to fix security vulnerabilities.
   ```
   $ npm install
   .
   .
   found 3270 vulnerabilities (82 moderate, 3188 high)
     run `npm audit fix` to fix them, or `npm audit` for details
   
   $ npm audit fix
   .
   .
   fixed 3269 of 3270 vulnerabilities in 954 scanned packages
     1 vulnerability required manual review and could not be updated
   ```
   
   
   We have to upgrade ssri to `v6.0.2 or above` to fix following security 
vulnerability, but `npm-registry-client` dependency is `"ssri": "^5.2.4"`.So we 
can't fix it.
   https://github.com/npm/npm-registry-client/blob/v8.6.0/package.json#L32
   
   `ssri` is devDependency , so I ignore this security vulnerability on this 
time.
   ```
   $ npm audit
   
                          === npm audit security report ===
   
   
┌──────────────────────────────────────────────────────────────────────────────┐
   │                                Manual Review                               
  │
   │            Some vulnerabilities require your attention to resolve          
  │
   │                                                                            
  │
   │         Visit https://go.npm.me/audit-guide for additional guidance        
  │
   
└──────────────────────────────────────────────────────────────────────────────┘
   
┌───────────────┬──────────────────────────────────────────────────────────────┐
   │ Moderate      │ Regular Expression Denial of Service                       
  │
   
├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Package       │ ssri                                                       
  │
   
├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Patched in    │ >=6.0.2 <7.0.0 || >=7.1.1 < 8.0.0 || >= 8.0.1              
  │
   
├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Dependency of │ dtslint [dev]                                              
  │
   
├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Path          │ dtslint > @definitelytyped/utils > npm-registry-client >   
  │
   │               │ ssri                                                       
  │
   
├───────────────┼──────────────────────────────────────────────────────────────┤
   │ More info     │ https://npmjs.com/advisories/565                           
  │
   
└───────────────┴──────────────────────────────────────────────────────────────┘
   found 1 moderate severity vulnerability in 954 scanned packages
     1 vulnerability requires manual review. See the full report for details.
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [pulsar-client-node] hrsakai opened a new pull request #166: Upgrade package that has security vulnerabilities

Reply via email to