search

1and1 / oneandone-cloudserver-sdk-nodejs

The official Node.js library for the 1&1 Cloud API.
Apache License 2.0
1 stars 5 forks source link

Upgrade mocha to fix security issues #20

Open Clement134 opened 5 years ago

Clement134 commented 5 years ago

Hello,

At the moment this project uses version 2.5.3 of mocha. This version is vulnerable to 3 following vulnerabilities:

Low Regular Expression Denial of Service Package debug Dependency of mocha Path mocha > debug More info https://nodesecurity.io/advisories/534

High Regular Expression Denial of Service Package minimatch Dependency of mocha Path mocha > glob > minimatch More info https://nodesecurity.io/advisories/118

Critical Command Injection Package growl Dependency of mocha Path mocha > growl More info https://nodesecurity.io/advisories/146

An upgrade to mocha@5.2.0 would solve this issues. I have tried to run the tests in order to upgrade mocha, but it seems that it needs a 1&1 token (which I don't have).

Clement134 commented 5 years ago

Hi @alibazlamit , could we have any feedback on this issue? The fact that tests are run with a real oneandone server, make contributions to this project very difficult (even to keep dependencies up to date).

tcrowe commented 5 years ago

This was fixed but the module was not re-published to npm.

npm info liboneandone --registry registry.npmjs.com