update tiny-lr - Githubissues

gruntjs / grunt-contrib-watch

Run tasks whenever watched files change.

http://gruntjs.com/

MIT License

1.98k stars 356 forks source link

update tiny-lr #530

Closed akoskm closed 6 years ago

akoskm commented 7 years ago

The latest versions of tiny-lr aren't depending on body-parser anymore, can we update it to its latest version?

I'm willing to send a pull request but I was wondering if there's a reason behind going with 0.2.1.

dackmin commented 6 years ago

In addition to this, tiny-lr is still using debug#v2.6.7 which throws Low Vulnerability issues over at node-security (found here). Maybe we should wait for tiny-lr to be updated with a (already) patched version of debug before merging this PR (I created an issue on their repo) or replace tiny-lr with something else.

dkomando commented 6 years ago

Just ran a snyk security test to add to this:

`$ snyk test ✗ High severity vulnerability found on qs@5.1.0

desc: Prototype Override Protection Bypass
info: https://snyk.io/vuln/npm:qs:20170213
from: myApp > grunt-contrib-watch@1.0.0 > tiny-lr@0.2.1 > qs@5.1.0 No direct dependency upgrade can address this issue.`

plroebuck commented 6 years ago

any progress? are there that many changes needed to migrate to current version of tiny-lr?