debug <=2.6.8
Severity: high
deep-extend <0.5.1
Severity: critical
pkg *
Severity: moderate
underscore 1.3.2 - 1.12.0
Severity: critical
bower-license >=0.1.0
Depends on vulnerable versions of bower-json
Depends on vulnerable versions of npm-license
Depends on vulnerable versions of underscore
Solution
It turns out that 8 out of 9 vulnerabilities (except for pkg) are transitive dependency of license-checker and oss-attribution-generator. These are abandoned projects, and we don't even use them but just declare them in the package.json.
Removing them fixes the issues.
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Problem
We have 9 vulnerabilities in our dependency tree:
Solution
It turns out that 8 out of 9 vulnerabilities (except for
pkg) are transitive dependency oflicense-checkerandoss-attribution-generator. These are abandoned projects, and we don't even use them but just declare them in the package.json.Removing them fixes the issues.
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.