fix: pin colors@1.4.0 to fix security vuln

cloudhead / node-static

rfc 2616 compliant HTTP static-file server module, with built-in caching.

MIT License

2.17k stars 245 forks source link

fix: pin colors@1.4.0 to fix security vuln #234

Closed mannyluvstacos closed 2 years ago

mannyluvstacos commented 2 years ago

A Security Vuln was identified in the Colors package for >1.4.0, offending packages being 1.4.1, 1.4.44-liberty

This PR pins the color package to 1.4.0 as advised on the snyk page

brettz9 commented 2 years ago

@cloudhead : Besides fixing the vulnerability, I've added a few test tweaks to get CI passing again, but it really seems that going with the full ESM approach (e.g., in CLI), that v12 is not gonna work. Since there are less than 4 months until v12 expires, what do you say about requiring Node 14?

brettz9 commented 2 years ago

@cloudhead : I've just pushed a commit to fix CI as our package-lock had needed updating too.

cloudhead commented 2 years ago

@cloudhead : Besides fixing the vulnerability, I've added a few test tweaks to get CI passing again, but it really seems that going with the full ESM approach (e.g., in CLI), that v12 is not gonna work. Since there are less than 4 months until v12 expires, what do you say about requiring Node 14?

I think that makes sense.