Remove phpjs or upgrade

[abstractvector]

The version of phpjs you are using relies on a library send which has two known vulnerabilities:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8859
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6394

Given you've now removed phpjs dependency from the main library, could you please either:

• Move phpjs from dependencies to devDevependencies
• Remove the usage of phpjs from your tests and then remove the dependency altogether
• Upgrade the version of phpjs so it's no longer vulnerable

I'm happy to make the necessary changes and submit a PR if you let me know which of the above you'd prefer.

[andymantell]

Thanks for alerting me to this Matt. I reckon removing the dependency is probably the best bet. If you're willing to do the work that would be greatly appreciated. I am happy to do it, but it won't be till the weekend so if you'd like it done sooner feel free to pitch in!

Or for expediency, upgrading phpjs and moving to Dev deps is fine too...

[abstractvector]

Thanks for the quick reply @andymantell. I've submitted a pull request for the changes - I did make a few other changes whilst I was there and documented them in the PR. Please let me know if you're happy with those.

[andymantell]

Fixed in https://github.com/andymantell/node-wpautop/pull/5 and released as https://github.com/andymantell/node-wpautop/releases/tag/v1.0.0

[andymantell]

Thanks @abstractvector!