Is secure build an app with meanjs?

[Root-Control]

Good day, i saw in meanjs repo the following information:

Dependencies: insecure Vulnerabilities: 6,

and i saw some information about security with meanjs framework, now my question is... is secure make an app in this framework?

[PierreBrisorgueil]

Hi, I took a look on this @mleanos

• Command Injection

meanjs@meanjs/mean#66a8d24f1b69f9ddd0124ed72a1b14a0757ea575 › gulp-eslint@3.0.1 › eslint@3.19.0 › shelljs@0.7.8 seems to be fix in v0.9, we should wait if we want to keep eslint ...

• Prototype Override Protection Bypass

Introduced through: meanjs@meanjs/mean#66a8d24f1b69f9ddd0124ed72a1b14a0757ea575 › gulp-refresh@1.1.0 › mini-lr@0.1.9 › qs@2.2.5 Introduced through: meanjs@meanjs/mean#66a8d24f1b69f9ddd0124ed72a1b14a0757ea575 › gulp-refresh@1.1.0 › mini-lr@0.1.9 › body-parser@1.14.2 › qs@5.2.0

do you know an alternative to gulp-refresh ? seems to be archived, or we can quickly make a fork and realize a new package npm with this fix : https://github.com/leo/gulp-refresh/pull/10/files

• Regular Expression Denial of Service (DoS)

Introduced through: meanjs@meanjs/mean#66a8d24f1b69f9ddd0124ed72a1b14a0757ea575 › gulp@3.9.1 › vinyl-fs@0.3.14 › glob-stream@3.1.18 › minimatch@2.0.10 Remediation: Run snyk wizard to patch minimatch@2.0.10. Introduced through: meanjs@meanjs/mean#66a8d24f1b69f9ddd0124ed72a1b14a0757ea575 › gulp-nodemon@2.2.1 › gulp@3.9.1 › vinyl-fs@0.3.14 › glob-stream@3.1.18 › minimatch@2.0.10 Remediation: Run snyk wizard to patch minimatch@2.0.10. Introduced through: meanjs@meanjs/mean#66a8d24f1b69f9ddd0124ed72a1b14a0757ea575 › gulp@3.9.1 › vinyl-fs@0.3.14 › glob-stream@3.1.18 › glob@4.5.3 › minimatch@2.0.10 Remediation: Run snyk wizard to patch minimatch@2.0.10.

think it's ok :)

[lirantal]

Right. The vulnerabilities detected are for some of the dev dependencies tools that we use so they're not included on production builds. Some of those tools don't yet have a fix released.