Closed whoiscarlo closed 3 years ago
Hey @whoiscarlo, thanks for reporting.
Unfortunately some of these warnings are often completely irrelevant - like in this case. Maybe that's why GitHub's dependabot didn't flag this one for us.
In short: it's warning on the danger of passing untrusted user input to two particular methods in the string
package: underscore
and unescapeHTML
. We don't use either of these methods in this package. There's no "fixed" version of string
to upgrade to, the advice is to simply not pass untrusted user input to these two methods. Which we didn't do in the first place. So the only way to remove this [completely irrelevant] warning is for us to stop using the package, which we rely on for legitimate needs.
PS If you've just installed the package for the first time, checkout out our v2 beta on the README, which uses the new API we'll be using moving forward.
@gadicc awesome thank you for the reply! I did try using the V2 but ran into issues with it while using Angular 11. I just submitted the issue.
Thank you for all of your work and effort. I'm still fairly new to web development, but if I can help out in anyway let me know!
Hey @whoiscarlo, awesome, thanks for that. To be honest, just opening issues for things you notice is a big help since a lot of people just give up or struggle silently without us ever knowing. So keep it up :D (will respond to the other issue over there)
So I got this error report after install
yahoo-finance
for the first time and then runningnpm audit fix
. Seems like something I should worry about no?npm audit report
string Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/536 No fix available node_modules/string yahoo-finance Depends on vulnerable versions of string node_modules/yahoo-finance
2 high severity vulnerabilities
Some issues need review, and may require choosing a different dependency.