Not sure if we're using CORS, but noticed this while running nsp against a related project:
$ nsp check
(+) 2 vulnerabilities found
┌───────────────┬──────────────────────────────────────────────────────────┐
│ │ Incorrect handling of CORS preflight request headers │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Name │ hapi │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Installed │ 9.3.1 │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Vulnerable │ <11.0.0 │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Patched │ >=11.0.0 │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Path │ able > hapi │
├───────────────┼──────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/45 │
└───────────────┴──────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────┐
│ │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Name │ uglify-js │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Installed │ 2.4.24 │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Vulnerable │ All │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Patched │ None │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Path │ able > uglify-js │
├───────────────┼──────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/48 │
└───────────────┴──────────────────────────────────────────────────────────┘
I filed the Hapi issue upstream as https://github.com/hapijs/hapi/issues/2896. Not sure if there is anything super-actionable we can do with it currently, unless we migrate to hapi@11 (which I believe requires Node 4+).
"No. The 9.x implementation is reasonable and as long as you don't use per-route settings should be fine. If you have a specific issue, open a new one."
Not sure if we're using CORS, but noticed this while running nsp against a related project:
I filed the Hapi issue upstream as https://github.com/hapijs/hapi/issues/2896. Not sure if there is anything super-actionable we can do with it currently, unless we migrate to hapi@11 (which I believe requires Node 4+).