search

dylanb / gulp-coverage

Gulp coverage reporting for Node.js that is independent of the test runner
MIT License
60 stars 12 forks source link

Update depenendencies for vulnerability fixes #55

Open mikecbrant opened 5 years ago

mikecbrant commented 5 years ago

Running npm audit against latest package version reveals several problems which likely need dependency updates in this library.

First and foremost is the fact that this package still relies on jade rather modern pug replacement. There are 5 vulnerabilities related to this package alone.

Second, an update should be made to multimatch to get latest version which would eliminate underlying lodash vulnerabilities as multimatch no longer uses this package as dependency.

This would leave only a single remaining vulnerability exposed by the multimatch library for which I have already opened an issue - https://github.com/sindresorhus/multimatch/issues/26

mikecbrant commented 5 years ago

Multimatch package 3.0.0 was just released and addresses which includes fix for vulnerability noted above.