search

meteor / node-stubs

Stub implementations of Node built-in modules, a la Browserify
MIT License
17 stars 8 forks source link

Security: npm audit reports vulnerabilities #22

Closed SenadZaimovic closed 4 years ago

SenadZaimovic commented 4 years ago

Since recently npm audit of packages reports current version of some of the dependencies of this package as vulnerability.

` High Signature Malleability

Package elliptic

Patched in >=6.5.3

Dependency of meteor-node-stubs

Path meteor-node-stubs > crypto-browserify > browserify-sign >
elliptic

More info https://npmjs.com/advisories/1547

`

neeldug commented 4 years ago

Should be fixed by #21

xet7 commented 4 years ago

@neeldug

It is not fixed by https://github.com/meteor/node-stubs/pull/21. New release of node-stubs should be created.

$ npm install meteor-node-stubs@latest
+ meteor-node-stubs@1.0.0
updated 1 package and audited 673 packages in 4.093s

22 packages are looking for funding
  run `npm fund` for details

found 2 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit fix
up to date in 2.659s

22 packages are looking for funding
  run `npm fund` for details

fixed 0 of 2 vulnerabilities in 673 scanned packages
  2 vulnerabilities required manual review and could not be updated
xet7 commented 4 years ago

@filipenevola

Can you create new release?

neeldug commented 4 years ago

@xet7 Yeah, sorry about that, is fixed but does need a new release.

filipenevola commented 4 years ago

Hey @xet7 1.0.1 was released 5 days ago.

Not sure why your npm is not finding it.