theganyo
commented
6 years ago What are you referring to?
Open adrbogacz opened 6 years ago
theganyo
commented
6 years ago What are you referring to?
adrbogacz
commented
6 years ago https://github.com/nodesecurity/nsp I check my project with this tool and its report that you are using outdated debug package version with know vulnerability: https://nodesecurity.io/advisories/534
Additional some of Your dependencies also includes reported vulnerabilities.
GreensterRox
commented
6 years ago Hello I have the same issue,
I'm using Swagger https://www.npmjs.com/package/swagger which in turn uses swagger-connect version 0.1.0.
As I understand it swagger-connect is just a wrapper for this project swagger-node-runner.
When I use nsp: https://www.npmjs.com/package/nsp . it gives me the following vulnerabilities:
swagger-connect@0.1.0 > swagger-node-runner@0.5.13 > swagger-tools@0.9.16 > string@3.3.3
swagger-connect@0.1.0 > swagger-node-runner@0.5.13 > swagger-tools@0.9.16 > superagent@1.8.5
swagger-connect@0.1.0 > swagger-node-runner@0.5.13 > swagger-tools@0.9.16 > superagent@1.8.5 > mime@1.3.4
swagger-connect@0.1.0 > swagger-node-runner@0.5.13 > swagger-tools@0.9.16 > body-parser@1.12.4 > debug@2.2.0
Any ideas how I can remove these vulnerabilities ?
Thanks !
theganyo
commented
6 years ago Yes. I suggest you upgrade. swagger-connect 0.1.0 is ancient, the current version is 0.7.0. The readme of this repo has information as to upgrading to a more modern version.
GreensterRox
commented
6 years ago Thank you for your response, if this version is so old, any ideas why it is being used as the default version when I run Swagger create project ?
theganyo
commented
6 years ago That's a good question, but one I can't properly answer. Here is the repo for that project: https://github.com/swagger-api/swagger-node. Perhaps they'd like help updating their templates to a recent version.
Swagger node runner contains 2 know vulnerabilities in different dependence package, is any plan to use newer version of that packages?