Closed JotaroS closed 4 years ago
lukaswagner
commented
4 years ago This was included to fix a problem with http-server 0.11.1 including a broken version of ecstatic (3.0.0). It seems the new http-server version 0.12.1 uses ecstatic 3.3.2, so you should be able to update http-server and drop the ecstatic entry in our package.json.
lukaswagner
commented
4 years ago Regarding the vulnerability in ecstatic, it seems to be fixed in v3.3.2:
Patches for the security vulnerability have been applied to versions v4.1.2, v3.3.2 and v2.2.2. Older versions will remain unpatched. I apologize for the inconvenience. (https://github.com/jfhbrook/node-ecstatic/issues/259)
JotaroS
commented
4 years ago Thanks @lukaswagner !
boeckhoff
commented
4 years ago @JotaroS so this is fixed ? if so please close
JotaroS
commented
4 years ago 
https://github.com/HassoPlattnerInstituteHCI/dualpantoframework/blob/a3f71976f16771196579af4b04da00e833f609cc/package.json#L32
Ecstatic is deprecated and there's security vulnerability against DoS attack.
I see this isn't refered by any code but still has to be imported?
(Last commit wrt this has been made by @lukaswagner https://github.com/HassoPlattnerInstituteHCI/dualpantoframework/blame/f3968089c393f84c25a923c5d52f744afc8b0694/package.json#L32)