Indirect dependency on hoek@4.2.1

domenic / svg2png

Converts SVGs to PNGs, using PhantomJS

Other

584 stars 134 forks source link

Indirect dependency on hoek@4.2.1 #110

Closed dylanpyle closed 6 years ago

dylanpyle commented 6 years ago

Looks like:

svg2png depends on phantomjs-prebuilt@^2.1.14
phantomjs-prebuilt@2.1.16 depends on request@2.85.0
request@2.85.0 depends on hawk@6.0.2
hawk@6.0.2 depends on hoek@4.2.1

Not sure how feasible it is to remove/upgrade this chain of dependencies, but the end result is this in every project which uses svg2png:

— since apparently hoek < 5.0.3 contains security vulnerabilities.

domenic commented 6 years ago

If someone can demonstrate an attack against svg2png, I am happy to investigate this, but in general I do not find these kind of automated "vulnerability" findings to be useful.