Closed robtree closed 3 years ago
Might be worth deleting the much older https://www.npmjs.com/package/bibtex-parser-js too.
Believe this has been resolved by https://github.com/ORCID/bibtexParseJs/pull/32/files and the publication of https://www.npmjs.com/package/@orcid/bibtex-parse-js 0.0.25.
Indeed. Thanks, Rob!
https://www.npmjs.com/package/bibtex-parse-js has fallen behind the last three years of work.
Because an old version of ava is still one of the dependencies rather than one of the devDependencies, npm audit is reporting two vulnerabilities when using
npm i bibtex-parse-js
.Manual Review Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Regular Expression Denial of Service
Package braces
Patched in >=2.3.1
Dependency of bibtex-parse-js
Path bibtex-parse-js > ava > chokidar > anymatch > micromatch >
braces
More info https://npmjs.com/advisories/786
High Prototype Pollution
Package dot-prop
Patched in >=4.2.1 <5.0.0 || >=5.1.1
Dependency of bibtex-parse-js
Path bibtex-parse-js > ava > update-notifier > configstore >
dot-prop
More info https://npmjs.com/advisories/1213
found 2 vulnerabilities (1 low, 1 high) in 1692 scanned packages 2 vulnerabilities require manual review. See the full report for details.