Closed codecvlt closed 7 years ago
Updating the default phantomjs version to 2xx should fix this.
both vulnerabilities does not affect the security of the system for the use case that this package was built, the npm phantomjs
package is only using the request
package to install a phantomjs binary, it is not used while an application is running, it is only used when installing dependencies so i don't see any vulnerability here.
updating to phantomjs version 2 will only remove these warnings of the NSP but there is no other gain here.. also we don't want to make phantom v2 executable the default because phantom v2 has many rendering issues compared to phantom 1.9.8 (the most stable) executable.
if you are just worried about those warnings you can easily install phantomjs@2.x.x in your machine, the NSP warning still will be present but your system won't be using the phantom 1.9.8 executable.
Fair enough. Problem right now is your latest version in npm still lists phantomjs as a main dependency. I see in your master branch you made it an optionalDependency. Pointing my version to your master branch removes the NSP warning. When do you think you will release a new npm version which reflects what you have on master branch?
Weird, looks like 0.5.4 does have phantomjs as optional. My bad.
Hmm, though when installed, the package.json for 0.5.4 does have phantomjs in the "dependencies" section.
Hmm, though when installed, the package.json for 0.5.4 does have phantomjs in the "dependencies" section.
yes, that is the way that npm works, optionalDependencies
are always installed, the only difference is that if some optional dependency fails to install then the whole installation won't fail, it will just ignore the optional dependency.
i understand that seeing those warnings can be frustrating, so a solution can be to move the phantomjs
dependency from optionalDependencies
to peerDependencies
, but i'm not sure if everyone will be ok with that, so let's see.. (cc @pofider)
Makes sense. It's ok. I've added this package to my ignore list since it shouldn't be exploitable in my use case.
Cheers, and thanks for the quick responses!
I believe the explanation @bjrmatos has done is sufficient.
I don't plan to do big changes like moving the phantomjs
dependency out at this moment.