search

mulesoft-labs / node-request-error-handler

Standardized error handler for rendering API responses
Other
0 stars 1 forks source link

update vulnerable package #3

Closed pickworth closed 6 years ago

pickworth commented 8 years ago

negotiator must be updated to v0.6.1

https://nodesecurity.io/advisories/106

coveralls commented 8 years ago

Coverage Status

Coverage remained the same at 96.087% when pulling 88164f00435138acb4654425cd0922ff2d21f291 on nmors:bugfix-vuln-patch-1 into 82c672abd299ecc7cdb6950906a2d1cc4ffb88b5 on mulesoft-labs:master.

coveralls commented 8 years ago

Coverage Status

Coverage remained the same at 96.087% when pulling 14cc077192a620ef98f935a46f3b2c263a3055d5 on nmors:bugfix-vuln-patch-1 into 82c672abd299ecc7cdb6950906a2d1cc4ffb88b5 on mulesoft-labs:master.

tbruno commented 8 years ago

@nmors:

We are making use of Caret ranges (https://docs.npmjs.com/misc/semver#caret-ranges-123-025-004)

Allows changes that do not modify the left-most non-zero digit in the [major, minor, patch] tuple. In other words, this allows patch and minor updates for versions 1.0.0 and above, patch updates for versions 0.X >=0.1.0, and no updates for versions 0.0.X.

So by having "negotiator": "^0.6.0" in request-error-handler's package.json, we are indeed telling NPM to install the latest patch in 0.6.x for "negotiator".

pickworth commented 8 years ago

I am getting the vulnerable version when I do a fresh npm install

@tbruno Are you also? I'm using node 6.2.0. specifying "^0.6.1" fixes it for me

cesaraugustogarcia commented 8 years ago

Hi @nmors I just tried a clean npm install after cloning the project and worked fine for me (brought the negotiator version with the fix = 0.6.1):

negotiator@0.6.1 node_modules/negotiator

Have you tried cleaning your npm cache? npm cache clean? Also, can you ensure you do not have a npm-shrinkwrap.json on your project?