Open JavierCane opened 5 years ago
We have the following two security alerts opened by GitHub:
These security bugs are related to the just published vulnerabilities on the event-stream package in versions 3.3.6 and later. Here we can find more information about it:
event-stream
Seeking for the usage of the event-stream package in the examples, I've found the following occurrences:
13-ssr-nuxt
yarn.lock
package-lock.json
It seems to be added as a transitive dependency by the ps-tree@^1.1.0 package, which is added by the pstree.remy@^1.1.0 one, added by the nodemon@^1.11.0 one. This nodemon package is the one we really ask for in our package.json.
ps-tree@^1.1.0
pstree.remy@^1.1.0
nodemon@^1.11.0
nodemon
package.json
Searching for related issues, we can see the following ones in the nodemon repo:
The commit referenced as a fix for the vulnerability doesn't contain the removal of the pstree[.remy] dependency, however, they explicitly claim it solves it.
pstree[.remy]
@juanmaguitar:
"nodemon": "^1.11.0"
"nodemon": "^1.18.7"
@JavierCane nodemon package is a package only needed for development so:
We have the following two security alerts opened by GitHub:
These security bugs are related to the just published vulnerabilities on the
event-stream
package in versions 3.3.6 and later. Here we can find more information about it:Seeking for the usage of the
event-stream
package in the examples, I've found the following occurrences:13-ssr-nuxt
->yarn.lock
13-ssr-nuxt
->package-lock.json
It seems to be added as a transitive dependency by the
ps-tree@^1.1.0
package, which is added by thepstree.remy@^1.1.0
one, added by thenodemon@^1.11.0
one. Thisnodemon
package is the one we really ask for in ourpackage.json
.Searching for related issues, we can see the following ones in the
nodemon
repo:The commit referenced as a fix for the vulnerability doesn't contain the removal of the
pstree[.remy]
dependency, however, they explicitly claim it solves it.@juanmaguitar:
"nodemon": "^1.11.0"
to"nodemon": "^1.18.7"
in ourpackage.json
?