medarob
commented
5 years ago Can someone please fix it!?
I found this documentation on the npm website but I have no clue how to do that but maybe someone else does:
Update dependent packages if a fix exists§
If a fix exists but packages that depend on the package with the vulnerability have not been updated to include the fixed version, you may want to open a pull or merge request on the dependent package repository to use the fixed version.
- To find the package that must be updated, check the “Path” field for the location of the package with the vulnerability, then check for the package that depends on it. For example, if the path to the vulnerability is @package-name > dependent-package > package-with-vulnerability, you will need to update dependent-package.
- On the npm public registry, find the dependent package and navigate to its repository. For more information on finding packages, see “Searching for and choosing packages to download”.
- In the dependent package repository, open a pull or merge request to update the version of the vulnerable package to a version with a fix.
- Once the pull or merge request is merged and the package has been updated in the npm public registry, update your copy of the package with npm update.
jonathantneal
High │ Cross-Site Scripting │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ handlebars │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.0.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ grunt-svgstore [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ grunt-svgstore > handlebars │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/61