Closed jssuttles closed 3 years ago
"npm audit" in the downstream project I work on shows the following with node v14.15.1, npm 6.14.9. The PR which was generated by snyk is over 30 days old now. How long for this change to get merged?
┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Improper Key Verification │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.0.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ samlp │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ samlp > saml > xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1583 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Improper Key Verification │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.0.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ samlp │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ samlp > xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1583 │ └───────────────┴──────────────────────────────────────────────────────────────┘
Hi All,
I'm closing this ticket as with the updated release, all critical
and high
audit warnings have been resolved - xml-crypto and other vulnerable libraries have been updated in #114.
Thanks, Tom
Describe the problem you'd like to have solved
npm audit does not produce errors
Describe the ideal solution
xml-crypto is updated to the latest version
Additional context
https://www.npmjs.com/advisories/1583