search

karma-runner / karma-browserstack-launcher

A Karma plugin. Launch any browser on BrowserStack!
MIT License
150 stars 82 forks source link

npm audit security vulnerability warnings #132

Closed josdejong closed 6 years ago

josdejong commented 6 years ago

When running npm audit in my project, I get two warnings related to dependencies of karma-browserstack-launcher: 

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-browserstack-launcher [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma-browserstack-launcher > browserstack >                 │
│               │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/593                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-browserstack-launcher [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma-browserstack-launcher > browserstacktunnel-wrapper >   │
│               │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/593                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Would be great if the vulnerable dependencies can be updated. Thanks!

Pringels commented 6 years ago

Looks like someone has already opened a PR against browserstacktunnel-wrapper:

https://github.com/pghalliday/node-BrowserStackTunnel/pull/32

Pringels commented 6 years ago

The PR was merged: https://github.com/pghalliday/node-BrowserStackTunnel/blob/master/package.json#L49

This issue can probably be closed now?

josdejong commented 6 years ago

That's good news.

Running npm audit fix now fixes this issue. Thanks!