Closed pdehaan closed 8 years ago
FWIW, here's the current nsp check
output:
➜ able git:(master) nsp check -o summary
(+) 5 vulnerabilities found
Name Installed Patched Path More Info
moment 2.8.4 >=2.11.2 able@0.4.3 > convict@0.6.1 > moment@2.8.4 https://nodesecurity.io/advisories/55
hapi 8.4.0 >=11.1.4 able@0.4.3 > hapi@8.4.0 https://nodesecurity.io/advisories/65
hapi 8.4.0 >=11.0.0 able@0.4.3 > hapi@8.4.0 https://nodesecurity.io/advisories/45
hapi 8.4.0 >=11.1.3 able@0.4.3 > hapi@8.4.0 https://nodesecurity.io/advisories/63
uglify-js 2.4.24 >=2.6.0 able@0.4.3 > uglify-js@2.4.24 https://nodesecurity.io/advisories/48
Ref: https://github.com/mozilla/fxa-content-server/pull/3693
Currently the package.json file hardcodes to convict@0.6.1, which [unfortunately] has a non-kosher version of moment.
We should upgrade to the latest version of convict to appease the NSP gods.