search

mapbox / tokml

Convert GeoJSON to KML.
http://mapbox.github.io/tokml/
BSD 2-Clause "Simplified" License
185 stars 90 forks source link

Vulnerability with dependencies #36

Open JuanIrache opened 6 years ago

JuanIrache commented 6 years ago

I'm getting these problems when suing the module. Not sure if it can be fixed by just updating to the latest modules or that would break something.

Manual Review Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

High Regular Expression Denial of Service

Package minimatch

Patched in >=3.0.2

Dependency of tokml

Path tokml > strxml > tap > glob > minimatch

More info https://nodesecurity.io/advisories/118

Low Incorrect Handling of Non-Boolean Comparisons During Minification

Package uglify-js

Patched in >= 2.4.24

Dependency of tokml

Path tokml > strxml > tap > runforcover > bunker > burrito > uglify-js

More info https://nodesecurity.io/advisories/39

Low Regular Expression Denial of Service

Package uglify-js

Patched in >=2.6.0

Dependency of tokml

Path tokml > strxml > tap > runforcover > bunker > burrito > uglify-js

More info https://nodesecurity.io/advisories/48

found 3 vulnerabilities (2 low, 1 high) in 3335 scanned packages 3 vulnerabilities require manual review. See the full report for details

JuanIrache commented 6 years ago

I just realised there's work being done here: https://github.com/mapbox/tokml/pull/31