search

brocessing / kirby-webpack

:muscle: A Kirby CMS starter-kit with modern frontend tools
MIT License
179 stars 23 forks source link

Found 1 low severity vulnerability #46

Closed PeteCrighton closed 6 years ago

PeteCrighton commented 6 years ago

npm install finds a vulnerability that requires manual review and cannot be updated by npm audit fix.

npm audit yields:

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > localtunnel > debug                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 7697 scanned packages
  1 vulnerability requires manual review. See the full report for details.
pqml commented 6 years ago

Yes, the debug package has been fixed but localtunnel is not updated yet

An issue and PR already exists for this https://github.com/localtunnel/localtunnel/issues/272

I will update kirby webpack dependendies when this is fixed

pqml commented 5 years ago

Fixed in latest release https://github.com/brocessing/kirby-webpack/releases/tag/0.10.0