soufian044
commented
6 years ago +1
Closed ktquez closed 6 years ago
soufian044
commented
6 years ago +1
jeffwilcox
commented
6 years ago The message is accurate in that the vulnerability is only an issue when used in Node.js versions up to and including Node 4. These days (LTS schedule: https://github.com/nodejs/Release) Node 4 is not even support any longer.
For many people then the proper outcome is to evaluate your use, and if you're on Node 6, 8, 10 - the modern ones, to essentially ignore as not impacted. It's too bad though that npm will probably still continue to have this message, as the vulnerability data does not seem to take into account the engine version.
I wonder if it would help to do something such as update package.json to add an engines clause, with the hope that after publishing a minor increment to 3.0.1, the CVE associated with the package would no longer apply with such an engine check...
i.e. adding { "engines" : { "node" : ">= 6.0.0" } } to package.json, or if need really be, adding some kind of explicit check in the library?
MylesBorins
commented
6 years ago This has been fixed in master, soon to be fixed in 3.0.1
I'm trying to install gh-pages and received from npm audit the message: === npm audit security report === Moderate: Out-of-bounds Read Package: base64url Patched in: >=3.0.0 Dependency of: gh-pages [dev] Path: gh-pages > base64url More info: https://nodesecurity.io/advisories/658
[!] 1 vulnerability found - Packages audited: 47 (47 dev, 0 optional) Severity: 1 Moderate