emersonknapp
commented
3 years ago Bump - same package, same issue, but now the noted safe versions for ssri don't include 5.x at all. It'll need a new version bump here.
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ssri │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=6.0.2 <7.0.0 || >=8.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ dtslint [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ dtslint > @definitelytyped/utils > npm-registry-client > │
│ │ ssri │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/565 │
└───────────────┴──────────────────────────────────────────────────────────────┘
ryanwillis
I noticed current version has old vulnerable version
ssri. That was fixed in https://github.com/npm/npm-registry-client/pull/169 , but this fix is still not published.