pofider
commented
6 years ago I believe you can npm install reap. Take the code and put it to a repo reap2 and update dependencies.
I would happily accept PR if you do it.
Closed kamesh95 closed 6 years ago
pofider
commented
6 years ago I believe you can npm install reap. Take the code and put it to a repo reap2 and update dependencies.
I would happily accept PR if you do it.
kamesh95
commented
6 years ago Sure. Actually reap is dependent on ms module only. So I have upgraded and published the new reap2 module on npm. The other vulnerability related with the string module is however the dependency of node-script-manager The issue with string is not patched so far https://nodesecurity.io/advisories/536 So for now I think you can upgrade only your reap dependency. I will create a pull request for the same. Thanks.
pofider
commented
6 years ago Ok, thank you.
kamesh95
commented
6 years ago Here's the PR for the fix - https://github.com/jsreport/jsreport-core/pull/28
kamesh95
commented
6 years ago @pofider Just curious. When will you publish the newer version on npm? As I need to use it in my codebase. Thanks!
kamesh95
commented
6 years ago @bjrmatos @pofider Any updates on when you guys will publish the current version with resolved vulnerabilities on npm?
pofider
commented
6 years ago There is reap2 used in jsreport@2 Sorry for the delay.
jsreport-core module's dependency reap has security issues. Actually reap module's dependency ms and string are vulnerable. But even if the issues with these sub modules are patched, they will never be released upto reap as the reap module's repository seems to be deleted. https://github.com/visionmedia/reap So is there any alternative available for the reap module that can be used with jsreport-core?