addaleax
commented
6 years ago My guess is that the first vulnerability can be patched by updating node-pre-gyp so that the vulnerable module ''hoek'' gets updated
I tried that, but there were breaking changes in node-pre-gyp (yes, without a semver-major release :disappointed:) that I was unable to fix.
The same goes for the second vulnerability, although it’s worth pointing out that if you are still running v4.x, then you’re already insecure by default and no updating of dependencies is going to help with that.
Neither of these vulnerabilites affect this library but I can understand that you want to upgrade it. I’ll see what I can do when I find the time.
ghost
Hi. I have a question about some dependencies that this module uses. I'm using this module for one of my projects and NodeSecurity.io verified that this module has 2 outdated dependencies resulting in 2 vulnerabilities. I don't know much about this, which is why I'm just asking to make sure that it exists.
You can find these 2 vulnerabilities here:
https://nodesecurity.io/advisories/566 https://nodesecurity.io/advisories/664
My guess is that the first vulnerability can be patched by updating node-pre-gyp so that the vulnerable module ''hoek'' gets updated, resulting in patching the vulnerability. I have no idea about the second vulnerability.