alanshaw
commented
6 years ago At a guess I'd say the advisory had a typo with the vulnerable versions that was updated after it was published. David doesn't automatically update advisories info it already knows about. I've restarted the service (which clears the advisories cache) and your dependency is now showing as not vulnerable.
HTH
jkutianski
I updated Superagent to 3.7.x on my package but it's still marked as vulnerable on https://david-dm.org/jkutianski/meetup-api