npm audit report a Critical issue

sinedied / hads

:books: Markdown superpowered documentation for Node.js

MIT License

167 stars 28 forks source link

npm audit report a Critical issue #31

Closed dcuenot closed 5 years ago

dcuenot commented 5 years ago

Hello,

When I run npm audit with hads in version 1.6.1, I have this report:

│ Critical │ Command Injection
│ Package │ open
│ Patched in │ No patch available │ Dependency of │ hads [dev] │ Path │ hads > open │ More info │ https://nodesecurity.io/advisories/663

Did you plan to fix this issue?

Thanks in advance for your answer. Damien

sinedied commented 5 years ago

As the command tells you, there's currently no patch available to fix that, and probably won't ever be as the goal of the open package is to open a too installed on your system (in this case, the browser).

Since the usage of this command is restricted to a local CLI command execution (it's not used by the server), it's not really an issue even though npm is noisy about it.

sinedied commented 5 years ago

@dcuenot I just released a new version that fixed the vulnerability report, I replaced the faulty module to avoid the noise.