search

apiaryio / dredd

Language-agnostic HTTP API Testing Tool
https://dredd.org
MIT License
4.18k stars 279 forks source link

Package dependency triggers NPM advisory (1696) #1934

Open ozamarripa opened 3 years ago

ozamarripa commented 3 years ago

Describe the bug npm audit triggers an advisory from a tertiary dependency.

{
      "action": "review",
      "module": "json-pointer",
      "resolves": [
        {
          "id": 1696,
          "path": "dredd>gavel>json-pointer",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ]
    }

To Reproduce Run npm audit and observe vulnerability ID is listed

Expected behavior npm audit should not list any vulnerabilities tied to this package (or it's dependencies)

What is in your dredd.yml?

N/A

What's your dredd --version output?

N/A

Does dredd --loglevel=debug uncover something?

N/A

Can you send us failing test in a Pull Request?

N/A

ansonliao commented 3 years ago

I also meet the vulnerability issue of dredd from npm, when I run npm audit fix --force and the command will downgrade my dredd version to 5.3.0, and my running dredd version is 14.0, any idea can fix the problem?