When installing this module, npm reports a moderate-severity vulnerability caused by the required version of http-server, which is 0.12.3, that requires a vulnerable version of ecstatcic (<4.1.3).
The earliest non-vulnerable version of http-serverseems to be 0.13.0, since it does not require the now unsupported ecstatic package.
Also, it seems like openrouteservice-js does not utilize http-server on top level. If that's the case, the dependency could be removed, fixing the vulnerability problem and removing a useless package too.
When installing this module, npm reports a moderate-severity vulnerability caused by the required version of
http-server, which is0.12.3, that requires a vulnerable version ofecstatcic(<4.1.3). The earliest non-vulnerable version ofhttp-serverseems to be0.13.0, since it does not require the now unsupportedecstaticpackage. Also, it seems likeopenrouteservice-jsdoes not utilizehttp-serveron top level. If that's the case, the dependency could be removed, fixing the vulnerability problem and removing a useless package too.