Closed pa-w closed 6 years ago
This is from our dependency on jsdom
. The dependency graph is jsdom->request->hawk->vulnerable version of hoek.
In package.json, you can see that this is only a dependency in our local development environment:
"devDependencies": {
. . .
"chai": "^3.5.0",
"jsdom": "9.8.3",
"jsdom-global": "2.1.0",
"mocha": "^3.5.0",
. . .
Since this does not affect the production (or even beta) environment, this is a low priority fix for us. We may be stuck if jsdom
hasn't been updated to use a patched version of request
.
The maintainer of jsdom has declined to take action.
Great, thanks @aldenstpage. Let's keep an eye on this.
Closed since we are no longer using the original open-ledger app
Github detected a vulnerable dependency in our code.