OWASP vulnerability in dependency tree

http-party / http-server

a simple zero-configuration command-line http server

MIT License

13.67k stars 1.5k forks source link

OWASP vulnerability in dependency tree #860

Closed gauravghumakkad closed 2 months ago

gauravghumakkad commented 1 year ago

There are various published vulnerabilities in one of the dependency of http-server "http-server": "^14.1.0" => "opener": "^1.5.1"

Requesting to please check on this .

github-actions[bot] commented 1 year ago

This issue has been inactive for 180 days

KernelDeimos commented 2 months ago

Hello, I'd like to address this but I need more information to address it properly.

Snyk seems to think everything is fine: https://snyk.io/advisor/npm-package/opener
Opener has one small change in 1.5.2 that looks like it could be related to security

Given that the extent of the change in 1.5.2 is small I have no problem updating the package. However I'm unable to find any source mentioning a vulnerability and whether 1.5.2 addresses it.

KernelDeimos commented 2 months ago

I found the comment (https://github.com/nrwl/nx/issues/22206#issuecomment-2150286778) that explains what's going on. That vulnerability report is not at all related to opener module that http-server is using. Please be very careful about producing/propagating inaccurate vulnerability reports as it can cause a lot of grief for maintainers (both of the respective projects and outside of them).