nsp fails notifme-sdk due to https://nodesecurity.io/advisories/534

notifme / notifme-sdk

A Node.js library to send all kinds of transactional notifications.

https://notifme.github.io/www/

MIT License

1.94k stars 150 forks source link

nsp fails notifme-sdk due to https://nodesecurity.io/advisories/534 #25

Closed mikiwiik closed 6 years ago

mikiwiik commented 6 years ago

The current (1.4.0) notifme-sdk is caught by nsp due to https://nodesecurity.io/advisories/534

For sure, the root cause is node-gcm, but notifme-sdk get the nsp blame :-) npm i nsp nsp check --output summary

(+) 1 vulnerabilities found Name Installed Patched Path More Info
debug 0.8.1 >= 2.6.9 < 3.0.0 || >= 3.1.0 notifme-sdk@1.4.0 > node-pushnotifications@1.0.18 > node-gcm@0.14.6 > debug@0.8.1 https://nodesecurity.io/advisories/534

BDav24 commented 6 years ago

The problem also comes from node-apn https://github.com/node-apn/node-apn/pull/595/files. Thanks for the notice, I'll update as soon as a new version is available!

BDav24 commented 6 years ago

For reference: https://github.com/appfeel/node-pushnotifications/issues/63

BDav24 commented 6 years ago

Seems to be alright now:

npx nsp check
(+) No known vulnerabilities found

Anyway I activated Greenkeeper to upgrade dependencies automatically (https://github.com/notifme/notifme-sdk/pull/26)