venkate5hgunda
commented
5 years ago Yes. It is saying it has been patched in version 2.3.1 yet I'm still facing this issue with the latest version
Closed Orrison closed 5 years ago
venkate5hgunda
commented
5 years ago Yes. It is saying it has been patched in version 2.3.1 yet I'm still facing this issue with the latest version
jonschlinkert
commented
5 years ago It seems this package is still throwing
"throwing" an annoying message in the terminal, you mean?
Yes. It is saying it has been patched in version 2.3.1 yet I'm still facing this issue with the latest version
Please notify NPM, the problem seems to be on their end.
I'll leave this open until it's resolved.
Orrison
commented
5 years ago The npm security team got back to me and said this is not something their team can resolve and to reach out to the npm support team. I sent them an email and I am now waiting for a reply back.
Will update here with what they say
jonschlinkert
commented
5 years ago @GaxZE that didn't even mention braces, that output isn't related to this repository.
Orrison
commented
5 years ago Hey folks,
So this was definitely my bad, sorry for the run around @jonschlinkert
So the deal was that I was specifically requesting jest@23.6.0 in my package.json which down the tree had the outdated braces dependency.
I was able to use the package npm-remote-ls to check out my current version of jest and look down it's tree.
The key was to look at the first package listed in the audit error and check to see if you have that one updated in your package.json.
Sorry about that, I am new to node and npm
It seems this package is still throwing a "Regular Expression Denial of Service" Vulnerability despite updating to 2.3.1 or higher as stated in the advisory https://www.npmjs.com/advisories/786
I have reached out to the npm security team to see if this is an issue on their end but I think it is important to note since it is throwing errors in the most up-to-date version of npm