Open filoucrackeur opened 3 months ago
Do we have news here? It's annoying to manually set overrides while using newman cli in our project.
We can workaround it by using the version 6.2.0 of newman. It uses the postman-runtime@7.41.2 which uses jose@5.6.3 that doesn't have the vulnerability.
Hello,
yarn audit show this output jose dependency is vulnerable is it possible to upgrade or replace it ?
┌───────────────┬──────────────────────────────────────────────────────────────┐ │ moderate │ jose vulnerable to resource exhaustion via specifically │ │ │ crafted JWE with compressed plaintext │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ jose │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.15.5 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ newman │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ newman > postman-runtime > jose │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1096835