Security Vulnerability in a dependency as reported by GitHub

adobe / vent

DOM event delegation that actually works

Apache License 2.0

17 stars 8 forks source link

Security Vulnerability in a dependency as reported by GitHub #1

Open filmaj opened 6 years ago

filmaj commented 6 years ago

Sample code

N/A

Expected Behavior

No security vulnerabilities as detected by GitHub to be present on any of this project's dependencies.

Actual Behavior

One exists 😢

See https://github.com/adobe/vent/network/dependencies

Version

1.0.0

Checklist

[x] I searched for a duplicate issue first
[ ] I included sample code, error output, and version numbers
[x] I'm not using this issue tracker to get help, or if I am, I already posted on StackOverflow and got no response

lazd commented 6 years ago

Looks like it comes down via karma -> log4js -> logly -> request -> hawk -> hoek.

Karma references it here: https://github.com/karma-runner/karma/issues/2994

stevengill commented 6 years ago

sweet, looks like they are in the process of fixing it. Once they release an updated version it is just a matter of updating the dep of Karma in here

mmatlock-shr commented 6 years ago

@stevengill Well, I don't know if they're in process of fixing it. When I reported the vulns, the response was "While I think we should clean these up, it's not super important for karma-runner users".

I don't know if anyone is hopping on board to do the work needed for updating it. I believe one of the blockers was log4js, which has updated, so hopefully that spurs movement on Karma's side.

tobi-or-not-tobi commented 6 years ago

@mmatlock-shr there's actually a PR on the way, but it seems to be stuck since a couple of weeks. I've asked to follow up on it.