Open mkj28 opened 6 years ago
Those vulnerabilities are not exploitable in Mosca.
Those vulnerabilities are not exploitable in Mosca
Fair enough, but mosca pulls them into the deployment
Is it possible to bundle mosca without the stateful functionality? (perhaps exposing it through peer dependencies)?
You should use https://github.com/mcollina/aedes
Mosca dependencies pull libraries with security vulnerabilities.
bl version 0.8.2: https://nodesecurity.io/advisories/596
yarn why bl
Reasons this module exists "mosca#level-sublevel#levelup" depends on itdeep-extend version 0.4.2: https://nodesecurity.io/advisories/612 "mosca#leveldown#prebuild#rc" depends on it
lodash version 3.10.1: https://nodesecurity.io/advisories/577 "mosca#ioredis" depends on it
stringstream version 0.0.5: https://nodesecurity.io/advisories/664 "mosca#leveldown#prebuild#node-ninja#request" depends on it