search

Wtower / generator-makrina

Yeoman generator for MEAN projects
MIT License
5 stars 0 forks source link

Update Dependencies #31

Closed sankhakarfa closed 7 years ago

sankhakarfa commented 7 years ago

Can you update these dependencies.

npm WARN deprecated mongodb@2.2.16: Please upgrade to 2.2.19 or higher
npm WARN deprecated gulp-minify-css@1.2.4: Please use gulp-clean-css
npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm WARN deprecated node-uuid@1.4.7: use uuid module instead
npm WARN deprecated minimatch@3.0.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful
Wtower commented 7 years ago

Hello and thanks for the contribution.

The above are generated dependencies, ie. come from the installation of the generated package.json:

mongodb

npm WARN deprecated mongodb@2.2.16: Please upgrade to 2.2.19 or higher

This is a dependency of mongoose:

├─┬ mongoose@4.7.6 
│ ├─┬ mongodb@2.2.16

There is a relevant pull request: https://github.com/Automattic/mongoose/pull/4871

So nothing can be done here from our part.

tough-cookie

npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130

This is a dependency of gulp-nsp:

├─┬ gulp-nsp@2.4.2 
│ └─┬ nsp@2.3.0 
│   ├─┬ nodesecurity-npm-utils@4.0.1 
│   │ └─┬ silent-npm-registry-client@2.0.0 
│   │   ├─┬ npm-registry-client@7.1.0 
│   │   │ ├─┬ request@2.69.0 
│   │   │ │ ├── tough-cookie@2.2.2

Nsp is an auxilliary development dependency that helps to identify node security vulnerabilities. It should only be installed in the dev machine and run locally. Following this advice, there is no security risk whatsoever.

You have to address any of the above module maintainers for updating them.

node-uuid

npm WARN deprecated node-uuid@1.4.7: use uuid module instead

This is a dependency of gulp-minify-html:

├─┬ gulp-minify-html@1.0.6 
│ ├─┬ minimize@1.8.1 
│ │ └── node-uuid@1.4.7

gulp-minify-html is used in the gulp task where angular html templates are packed into partials.js.

It is also a dependency of gulp-nsp again:

├─┬ gulp-nsp@2.4.2 
│ └─┬ nsp@2.3.0 
│   ├─┬ nodesecurity-npm-utils@4.0.1 
│   │ └─┬ silent-npm-registry-client@2.0.0 
│   │   ├─┬ npm-registry-client@7.1.0 
│   │   │ ├─┬ request@2.69.0 
│   │   │ │ ├── node-uuid@1.4.7

None of the above pose any security risk.

You have to address any of the above module maintainers for updating them.

minimatch

npm WARN deprecated minimatch@3.0.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue

This is a dependency of gulp-nsp again:

├─┬ gulp-nsp@2.4.2 
│ └─┬ nsp@2.3.0 
│   ├─┬ nodesecurity-npm-utils@4.0.1 
│   │ └─┬ silent-npm-registry-client@2.0.0 
│   │   ├─┬ npm-registry-client@7.1.0 
│   │   │ ├─┬ rimraf@2.5.2 
│   │   │ │ └─┬ glob@7.0.3 
│   │   │ │   └─┬ minimatch@3.0.0

For the reason mentioned above for nsp and tough-cookie this is not a security vulnerability.

npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue

This is a dependency of gulp:

├─┬ gulp@3.9.1 
│ └─┬ vinyl-fs@0.3.14 
│   ├─┬ glob-stream@3.1.18 
│   │ ├── minimatch@2.0.10

gulp is a development dependency that should only be installed and executed in the development machine. If so, there is no security threat.

It is also a dependency of gulp-istanbul:

├─┬ gulp-istanbul@1.1.1 
│ ├─┬ istanbul-threshold-checker@0.1.0 
│ │ ├─┬ istanbul@0.3.22 
│ │ │ ├─┬ fileset@0.2.1 
│ │ │ │ └── minimatch@2.0.10

gulp-istanbul is used during gulp build to generate test coverage. It is a development dependency that should only be installed and executed in the development machine. If so, there is no security threat.

npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue

This is a dependency of gulp again:

├─┬ gulp@3.9.1 
│ └─┬ vinyl-fs@0.3.14 
│   ├─┬ glob-watcher@0.0.6 
│   │ └─┬ gaze@0.5.2 
│   │   └─┬ globule@0.1.0 
│   │     └── minimatch@0.2.14

You have to address any of the above module maintainers for updating them.

graceful-fs

npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful

This is a dependency of gulp again:

├─┬ gulp@3.9.1 
│ └─┬ vinyl-fs@0.3.14 
│   ├─┬ glob-watcher@0.0.6 
│   │ └─┬ gaze@0.5.2 
│   │   └─┬ globule@0.1.0 
│   │     ├─┬ glob@3.1.21 
│   │     │ ├── graceful-fs@1.2.3

You have to address any of the above module maintainers for updating them.

gulp-minify-css

npm WARN deprecated gulp-minify-css@1.2.4: Please use gulp-clean-css

This is the only direct dependency in the generated gulpfile, but will soon be removed in #29 in favor of the gulpfile-ninecms package, which has a relevant issue:

https://github.com/Wtower/gulpfile-ninecms/issues/5

You can subscribe to that issue if interested. Nevertheless, there is no problem coming from the use of that package, because no significant updates have been made to the new one and because it is a development dependency.

Sum-up

With the exception of minify-css, all of the above are dependencies of other packages. You can identify them yourself by using npm ls and address to the corresponding maintainer.